LifeIsPain
asked on
Logout a user if user does not re-authentificate himself after set time
First of all, all of the following takes place in a Windows 2000 computer lab, with one Windows 2000 Server Computer using a single domain, with all of Active Directory enabled. Only one other machine is in question here, a single Windows 2000 Professional Machine that will log into the domain to validate the username.
I am looking for a way to periodically ask the user of a computer to reenter his/her password so that I know the same user is using the machine. I administer a Computer lab for a University, and the lab workers each have an account on the main machine, but I have found that many of them will not log out of their account when their shift is over. When the user leaves, the next one will continue without logging in as himself (out of laziness as far as I can tell). The result of this is that the same account will be used for long periods of time.
I know that you can set Windows 2000 to specify login times for the computer on a user/group basis, but this is not what I am going after. Each of the lab workers will be logged in for a different amount of time (some for only an hour, others at 4:30), so I don't want to just automatically log out the user after an hour, but if the user is no longer there, I do not want the next user to continue using an account that is not theirs. The computer will most likely continue to be active this entire time, so as far as I can tell a periodic check is needed (but I could be mistaken).
Also, there are not set work hours, as substitutions may be made, so I don't want to restrict hours based on when the user has signed up.
I am looking for a way to periodically ask the user of a computer to reenter his/her password so that I know the same user is using the machine. I administer a Computer lab for a University, and the lab workers each have an account on the main machine, but I have found that many of them will not log out of their account when their shift is over. When the user leaves, the next one will continue without logging in as himself (out of laziness as far as I can tell). The result of this is that the same account will be used for long periods of time.
I know that you can set Windows 2000 to specify login times for the computer on a user/group basis, but this is not what I am going after. Each of the lab workers will be logged in for a different amount of time (some for only an hour, others at 4:30), so I don't want to just automatically log out the user after an hour, but if the user is no longer there, I do not want the next user to continue using an account that is not theirs. The computer will most likely continue to be active this entire time, so as far as I can tell a periodic check is needed (but I could be mistaken).
Also, there are not set work hours, as substitutions may be made, so I don't want to restrict hours based on when the user has signed up.
ocon827679
Getting people to log off is a nightmare. Maybe you could try to make everyone's life miserable by enabling the screen saver after 10 minutes or so and selecting to enable the password protection. This way if the workstation is left alone for 10 minutes the screen saver will kick in and the next guy can't get into the workstation unless he knows the previous users password. As admin you can always log the person off. I guess this way you will force the guy coming in to jump all over the first person for not logging out. Of course, this can also come back to bite you in the ass, but you have to change peoples behaviour if you don't want to use the built-in utilities.
ASKER
I thought about doing the screensaver, but as mentioned, there is always someone on that computer, so it never hits the 10 minute mark, and I would be yelled at like nothing else if I set it to a 2 minute time out (because of helping the users of the lab). Not to mention that the lab is pretty well secluded from the rest of the IT department, so it isn't very easy to get someone over to let the next lab worker use the computer (not to mention that this is also the machine the workers use to clock in on because of the software).
___
As a side note, I know at some multi-user locations, the users learn to log out on their own because if they don't, they will have "resigned" from their position due to an "affair" with the bosses spouse. :)
___
As a side note, I know at some multi-user locations, the users learn to log out on their own because if they don't, they will have "resigned" from their position due to an "affair" with the bosses spouse. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I took the advice of MSGeek and used task scheduler, but I used it a bit differently. Every 15 minutes, the computer locks up, if the user wants it to or not. After 10 minutes of idle time, the computer logs out. So the result of this is that the computer will be unusable for 10 minutes after it locks up (if the user isn't there). I have had one of the workers complain about this louder than the others, but he is only the 6th person or so to work at that comp.
So I am using two tasks, one for locking, the other for logging out. (shutdown.exe is in the Windows 2000 Resource Kit, or there are freeware versions people have made as well). This seems to work well, except that trying a password after 9 minutes resets the timmer for idle. So this would work even better if I could set a max time the computer stays locked, say 4 minutes, and then it will auto-log out after this, instead of by idle.
But I am testing this theory out real quick, and then points will be awarded after a conclusion can be made on if this works.
So I am using two tasks, one for locking, the other for logging out. (shutdown.exe is in the Windows 2000 Resource Kit, or there are freeware versions people have made as well). This seems to work well, except that trying a password after 9 minutes resets the timmer for idle. So this would work even better if I could set a max time the computer stays locked, say 4 minutes, and then it will auto-log out after this, instead of by idle.
But I am testing this theory out real quick, and then points will be awarded after a conclusion can be made on if this works.
ASKER
Also, I should say that we do have an AUP, but the changes happened after the AUP was released, so it is hard to call them on anything as firm as an AUP, even if it was in the meetings and written notices.
Two stones are better than one, but what a pain; every 15 minutes. I would think you could offer to do away with the feature after they have learned their lesson. I would have to believe your AUP addresses using another users account. If you cannot hold them to something as simple as that what good is the AUP? On a more serious note what if a user logged in as another user commits a crime, how are you going to nail down the correct user? It may be funny, but it's not when the FBI and Secret Service are standing there because a threat was made to the president.
ASKER
The question is still open. Setting a log out on idle time wasn't working, as different events were regestering as input, and so the users would get locked out and not be able to get in. (As in if they gt locked out, they would try their own password instead of waiting for the account to log out, thus keeping the computer from being idle.) So anyway, the time for an idle log out didn't happen at times.
Ok, I think for about $10 at Radio Shack you can get a timer that goes up to 60 minutes with an outlet connected. Connect the PC to that and it will power off every hour. Win2k may not tolerate that as much as XP would, but sounds like your last resort. Perhaps you could also build a keyboard that has an electrical charge that increases over time, then it resets to zero at logout?
LifeIsPain:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER
I accepted MSGeek's first answer, as it was the most applicable solution for my problem (just to finalize it). This does not mean it does everything I wanted, but it gave me the right direction to look in. The best solution would be to write a custom ap that locks up the screen after 15 minutes (or whatever) and will stay locked until the correct password is used (I read how to check a password with a login password somewhere, so it is doable) and if the correct password isn't used after a set time, it logs out the user. If someone does write the program and pastes it here, that still would be appreceated.
But as this is 11 days after Cleanup was asked for, here it is.
But as this is 11 days after Cleanup was asked for, here it is.
LifeIsPain.. thanks for the points, glad it was of some help. MSGeek.