none
Logging out "locked" accounts after a period of time RRS feed

  • Question

  • Im currently working with a College campus and we are running windows 7 enterprise on all our machines.  We are having some issues with users locking their accounts and walking away.  This would be fine except they dont come back and then we accumulate multiple users "locked" on the same machine which is starting to make the computers hang at logon and run poorly.  I was wondering if there is a way to force these locked accounts to log off based on a timer or something like that.  We would like to preserve the ability to lock the accounts for security of their accounts while they go get a print job etc it may be nice but would like to keep these computers running smoothly. I was hoping there is some group policy script we can adjust based on a inactivity timer or even a straight forward user can only be locked for 15 minutes or something like that.  Just wondering if there is anything out there that would be usefull and hopefully be easy to apply to 100+ machines.

    Tuesday, May 3, 2011 2:37 PM

Answers

  • I found this on sevenforums.com and while it references having switch user screen turned off it should also work in your environment I believe.



    win7 enterprise
     
     

    I found the answer

    You can use terminal services to remote into the locked computer. In Windows 7 click Start and type mstsc in the search box. At the top of the start menu those very smae letters will appear with an icon. Highlight it and press enter. A dialogue box opens titled, "Remote Desktop Connection." Type in the name of the computer, your credentials and eventually you are reminded that a user is currently logged in. You are asked if you want to continue because that will log them off! Hurray.
    This way you do not have to hard power down the system, which is a real time saver in our environment. Not to mention the stress it puts on the O.S. and hardware of repeated hard power downs. We have over 18,000 students on our district...that's alot of locked user accounts.


    Last edited by orourkev; 04-02-2010 at 08:48 AM.. Reason: missing information

     

    This is a link to the page I grabbed the post from:

    http://www.sevenforums.com/general-discussion/75176-unlock-computer-when-switch-user-turned-off-2.html


    Please remember to flag a post that helps you as "answer" so that it may help others with same problems.
    Thursday, May 5, 2011 10:00 PM
  • Here is an interesting alternative that I believe will definitely fit the bill. this guy runs a command line file as a service....

     

     

    In order to log out disconnected users while leaving the current user connected, copy the following script code into a .cmd file such as "LogOffUsers.cmd" and then run it as a service at midnight:

    @echo off
    for /f "tokens=1-7 delims=,: " %%a in ('query user ^| find /i "disc"') do logoff %%b
    

    The script works by using the query command to find users who are disconnected by searching the phrase "disc", then logging them out.

    If you wanted the script to instead run continuously as a service, logging out users when they had been disconnected/inactive for a certain period of time, you would instead use:

    @echo off
    :Top
    for /f "tokens=1-7 delims=,: " %%a in ('query user ^| find /i "disc"') do if %%d GTR 32 (logoff %%b) else %%e GTR 32 (logoff %%b)
    choice /T 120 /C 1 /D 1 /N
    goto top
    

    This script uses the same query command, but additionally checks the "IDLE TIME" portion of the results, logging the user off if idle time is greater than 32 ( "GTR 32" ). That phrase occurs twice because the "IDLE TIME" token can occur two slightly different positions. Then the line beginning with "choice" waits 2 minutes before performing the operation again by looping to the beginning. You can increase or decrease the "32" value according to your needs.

    Found here.

     

    This is link to page I found post on: http://superuser.com/questions/269574/automatic-windows-logout

     

     


    Please remember to flag a post that helps you as "answer" so that it may help others with same problems.
    Thursday, May 5, 2011 10:24 PM

All replies

  • Try this

    http://maximumpcguides.com/windows-vista/use-the-remote-shutdown-tool-to-shutdown-restart-or-logoff-a-local-or-networked-computer/

    Hope this is helpful

    Wednesday, May 4, 2011 11:55 AM
  • The issue with this is were looking for something automatted since we have at least 100 machines to apply this to and would need it to log these users out based on idle time. The problem with just a strait inactivity timer is that another user may walk up to this computer and log in which would in fact reset this timer and leave the first user still logged in.  We need a way to apply this kind of script to "locked" accounts so that after 15 minutes of being locked the computer would automatically log that user off regardless of any other users maybe loged in at the time.  The main issue we have is durring the day these computers are constantly being used but not by the same user so we get one user loging in printing their documents or whatever they need then they either lock or just simply walk away. Then the next user walks up and selects switch user and logs in and this can happen multiple times durring a day so I sometimes see computers with 3 users locked and no1 is in front of the computer at the time.  For us to walk through or even remotely touch these machines to either unlock or restart these machines durring the day would be an absolute nightmare.  If we disable user switching then the 2nd user would need an administrator to either unlock the account or restart the computer every time someone locks it.  We have also looked into the winexit script which doesnt really work with win 7 anyways but doesnt look like it works well with locked users its made for users that are currently logged in. We havent tested the winexit script but from the information I have read has all said it doesnt work or works poorly with locked user accounts so even if we get it working with win7 it doesnt sound like it will do what we want anyway.
    Thursday, May 5, 2011 9:08 PM
  • I found this on sevenforums.com and while it references having switch user screen turned off it should also work in your environment I believe.



    win7 enterprise
     
     

    I found the answer

    You can use terminal services to remote into the locked computer. In Windows 7 click Start and type mstsc in the search box. At the top of the start menu those very smae letters will appear with an icon. Highlight it and press enter. A dialogue box opens titled, "Remote Desktop Connection." Type in the name of the computer, your credentials and eventually you are reminded that a user is currently logged in. You are asked if you want to continue because that will log them off! Hurray.
    This way you do not have to hard power down the system, which is a real time saver in our environment. Not to mention the stress it puts on the O.S. and hardware of repeated hard power downs. We have over 18,000 students on our district...that's alot of locked user accounts.


    Last edited by orourkev; 04-02-2010 at 08:48 AM.. Reason: missing information

     

    This is a link to the page I grabbed the post from:

    http://www.sevenforums.com/general-discussion/75176-unlock-computer-when-switch-user-turned-off-2.html


    Please remember to flag a post that helps you as "answer" so that it may help others with same problems.
    Thursday, May 5, 2011 10:00 PM
  • I wonder if something like what you want can be setup in task scheduler... if PC locked XX number of minutes log user off, is that even doable?

    Please remember to flag a post that helps you as "answer" so that it may help others with same problems.
    Thursday, May 5, 2011 10:09 PM
  • Here is an interesting alternative that I believe will definitely fit the bill. this guy runs a command line file as a service....

     

     

    In order to log out disconnected users while leaving the current user connected, copy the following script code into a .cmd file such as "LogOffUsers.cmd" and then run it as a service at midnight:

    @echo off
    for /f "tokens=1-7 delims=,: " %%a in ('query user ^| find /i "disc"') do logoff %%b
    

    The script works by using the query command to find users who are disconnected by searching the phrase "disc", then logging them out.

    If you wanted the script to instead run continuously as a service, logging out users when they had been disconnected/inactive for a certain period of time, you would instead use:

    @echo off
    :Top
    for /f "tokens=1-7 delims=,: " %%a in ('query user ^| find /i "disc"') do if %%d GTR 32 (logoff %%b) else %%e GTR 32 (logoff %%b)
    choice /T 120 /C 1 /D 1 /N
    goto top
    

    This script uses the same query command, but additionally checks the "IDLE TIME" portion of the results, logging the user off if idle time is greater than 32 ( "GTR 32" ). That phrase occurs twice because the "IDLE TIME" token can occur two slightly different positions. Then the line beginning with "choice" waits 2 minutes before performing the operation again by looping to the beginning. You can increase or decrease the "32" value according to your needs.

    Found here.

     

    This is link to page I found post on: http://superuser.com/questions/269574/automatic-windows-logout

     

     


    Please remember to flag a post that helps you as "answer" so that it may help others with same problems.
    Thursday, May 5, 2011 10:24 PM
  • I assume your on an Active Directory domain and all the users are domain users. I would approach it from the user perspective, not the machine, maybe this will work for you:

    For each user, follow these steps:

    1. Goto Active Directory Users and Computers

    2. Find the User you wish to enable auto logoff, right click the user object and choose "Properties"

    3. Goto the "Sessions" tab of the user object

    4. Configure the items as you need. I would recommend these settings for this type of environment:

    "End a disconnected session:" = "15 Minutes"

    "Active session limit:" = "Never"

    "Idle session limit:" = "15 Minutes"

    "When a session limit is reached or connection is broken:" = "End session"

    I belive a "locked" pc is considered a disconnected session, so that maybe the only thing you need. The "Idle session limit" would be good for those who forget to lock the computer, after 15 minutes Idle, it will log them off. Logoff is the same as "end session".

    I'm sure you could script the changes using powershell for a list of users, let me know if you need some help creating a script like that.

    -Ben

    • Proposed as answer by peacepenguin Tuesday, May 10, 2011 10:34 PM
    Tuesday, May 10, 2011 10:31 PM
  • This is only valid for Remote Desktop Services sessions, not locally logged on sessions, which is what the OP is asking about.
    Friday, October 14, 2011 3:12 PM