I am looking for a way to force a user to logoff of Windows. This is in a Active Directory environment. I know there is an AD attribute "force-logoff" that you can access using ADSI edit, but I do not know exactly how to use it, or should say how to modify the user's LDAP path, to include this attribute, or how to pass parameters to the force-logoff attribute, such as time.
I would like to accomplish this within the confines of Windows 2000 and the Support Tools via Active Directory.
Any ideas?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
You can use the "winexit.scr" screen saver from the windows 2000 res kit. This file is also availble for download from many internet sites. Set this screen saver for all your users using policy.
see this article, it is for winxp but also works for 2k
http://support.microsoft.c
To force immediate effect use this : (probably add this in task scheduler on the server)
http://support.microsoft.c
try this:
You can run these parameters from the cmd line or as a shortcut, which will open the command line. type in "shutdown /?" to know all of the parameters. in these examples:
-t0 is for timeout length
-s, -r, and -l is what you want done (stutdown, restart, and logoff respectively)
You can also pinpoint a remote computer. just use the "shutdown /?" cmd line to get the correct cmd line for remote computers.
THE FOLLOWING PARAMETERS TO DO THE OPTION ON YOUR OWN COMPUTER (I HAVE THESE AS SHORTCUTS ON MY DESKTOP) NOTE THAT YOU CAN TAKE AWAY "%windir%\System32\" when typing this in at the cmd prompt
**Shutdown**
%windir%\System32\shutdown
**Restart**
%windir%\System32\shutdown
**Logoff**
%windir%\System32\shutdown
**Fast User Switching, aka Lock Computer**
%windir%\System32\rundll32
Did you guys see my reply right after my first post. I already figured out how to accomplish what I wanted using the shutdown command line program. I would like to know how to do this without out using a script however.
This was done in NT by checking an option under account policy that said "Force Logoff when time restrictions are enforced" However, I can not find where to do this in 2000. Also, I don't know if this helps or not, but there is a CN in Active Directory called CN=Force-Logoff, but, like I said, I am not sure how to edit this or tie it to a particular user.
In either the local policy of a machine, or the GPO for the domain or OU in which the machine is located:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
There are two options:
"Automatically log off users when logon time expires"
This option affects all machines in the domain for a GPO. It is disabled by default, which allows an established client session to be maintained after the client's logon hours have expired. Enable it for your requirements.
"Automatically log off users when logon time expires (local)"
This policy should only be defined in a local security policy of a machine - only place it affects. It is enabled by default.
Logon hours are defined in the user account.
put the script in the target field of a shortcut and put it on your desktop or something. there, no script! just a shortcut. You could make a folder on your desktop and label the shortcuts for each user. of course, this would be time consuming if you have a lot of users, but i would just use the cmd line. if this is an active directory environment and you are the administrator, you should be using cmd lines constantly anyway...
nexusnation - if you are referring to my solution, with all due respect, you are incorrect. This applies to the "Logon Hours" defined in a user account. Logon hours refer to days of the week and hours of the day. Not the amount of time someone has been logged on.
In other words, if scmiles wants to log users off at 9PM every night and keep them off until 4AM, he sets up these hours in the user account and these policies to ensure they are forced off their computer (local) and network resources during the given time.
scmiles was looking for the win2k equivalent of what he was using on NT.
In either the local policy of a machine, or the GPO for the domain or OU in which the machine is located:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
There are two options:
"Automatically log off users when logon time expires"
This option affects all machines in the domain for a GPO. It is disabled by default, which allows an established client session to be maintained after the client's logon hours have expired. Enable it for your requirements.
"Automatically log off users when logon time expires (local)"
This policy should only be defined in a local security policy of a machine - only place it affects. It is enabled by default.
Logon hours are defined in the user account.
I've tried this and it doesn't work?????? I've created a test OU with a test GPO for one machine... I logon to the user with the set logon time.. and when the time comes to logoff the user nothing happens.... is it suppose to log the user off?????
Any body ever address Yolanda-Obenour comment. I have done exactly the same thing with the same failed results. The Screen saver option is NOT and option. Users want their own screen savers. This should be a simple policy definition BUT it doesn't appear to work.
I do not find and option called "Automatically log off users when logon time expires" under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. There are 2 options and they are "Network Security:Force logoff when logon hours expire" and "Microsoft Network Server: Disconnect clients with logon hours expire". I have selected both options, refreshed the policy, rebooted the computer and anything else in order to ensure that the policy is forced unto the local system. Still the logoff fails. Now if I log the user off and then try to log them on again while the restriction is in affect, they get a message stating "Your account has time restrictions that prevent you from logging on at this time. Please try again later."
Why is this not working as adverstised? Am I misunderstanding something here??????????????????????
Business Accounts
Answer for Membership
by: scmilesPosted on 2003-01-04 at 12:08:43ID: 7669057
I have accomplished my goal by using the shutdown command line program to shutdown the machine used by the user I want to logoff, and then Active Directory's Time restriction limits kick in dis-allowing the user to logon. Still, I believe there should be a way to pull this off without using a script. So the question still stands.