We help IT Professionals succeed at work.

Windows 2000 AD Group Policy - "Auto Logoff" Not working

itly09
itly09 asked
on
3,362 Views
Last Modified: 2012-06-21
I have a windows 2000 Domain running AD. I have several policies setup and they are working great. I am having a problem with one. I am trying to force users to logoff after a certain amount of time. Every has tried helping and no one can figure out why. I set the amount of idle time to a few minutes just to test the policy. I also enabled "automatically log off users when idle time expires" and configured 'logon hours". I have also set it up the policies at night time, so that by morning (9hrs), i am sure that the policy has took place. I've tried different OU's, I've ran secedit command several times. I don't want to use the winexit screen saver that some people recommend (which defeats the whole purpose of using windows Group Policys) I would appreciate it if anyone has an answer to this. Is there a certain trick to this, it shouldn't be that hard (considering my unix system takes all off 11 seconds to configure "auto log off") Thanks
Comment
Watch Question

Commented:
Double check your Permissions settings for the GPO and ensure it is set for read and also apply for the associated users.
try a refreshuserpolicy

gl
CHAD
CERTIFIED EXPERT
Top Expert 2005

Commented:
Provide the path to the policy elements you enabled.  I will have a look.

My feeling is that Automatically log off....is actually Automatically disconnect...

From what I remember there is no timer to log off users except when their logon time (hours) have expired.

Advise.
itly09,

You might find this useful. Although it isn't managed via GPO, you can deploy it using a GPO.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q314999

-------------
Netman66, go here when you get a moment and give us your feedback! https://www.experts-exchange.com/Community_Support/New_Topics/Q_20878932.html Thanks!
kabaam, I hit you up on another question, but in case you didn't get to it yet, take a moment and go to the link above as well. Cheers!
-------------
itly09,

Actually, this may be more of what you are looking for. Review the steps mentioned by Fatal_Exception in this post to make sure you are nailing it just right. https://www.experts-exchange.com/Operating_Systems/Win2000/Q_20860048.html

Hope this helps!

Author

Commented:
KingHollis,
 The WinExit is not a bad idea, I tried this locally and it works fine. Then I attempt to push it out with a GP, but heres where the problem is. I send this out to all the clients to use this screen saver, it begins to take the policy but because the users on the client machines do not have administrative rights, it does not allow them to install the new screen saver, and gives me a registry permission error. I have over 120 computers, this wouldnt be fun installing in individually. Thanks again for your help
itly09,

Understood. There may be a way around that.... I'll check it out.
How about the second post I presented? I think this may be a far simpler solution. Did you give it a shot yet?

Author

Commented:
KingHollis,

Ok, I tried your second posted comment, regarding group policy from fatal_exception, which is what I originally wanted to do (and still wish i could). But something strange goes on. On the DC, When I set the time to 60 using command prompt ( net accounts /forcelogoff:60) which works fine, but when i run the "net accounts" command 5 minutes later to view the settings, the time gets changed and set back to 0, which as you know, is the same as the turning it off. Hopefully this helps you lead to something else, cause i sure can't figure it out, =P, thanks again !
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Gotta love the tough ones...!!  First, I assume the policy you are trying to push is the Amount of Idle Time Required before disconnecting session Policy..??

Is this being applied at the Domain level, or in a downlevel GPO..??  Remember that policies are applied in this order...  Local > Global > Domain > Container etc..   If you have a conflicting GPO that is being applied after the one you configured, it will take precendence unless it is configured to Block Policy inheritance....

Just a thought...
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Hmm...  that would not be the policy you are referring to..  it deals with disconnecting an SMB session...  so which one are you trying to implement...??

FE
FE, welcome! Thanks for coming on such short notice! <smile!>

I think there was a post shivsa provided in the link above in my second post. In that Q he provided a solution but I can't wrap my mind around what actually occured, but you said you had it working in before and someone else echoed that. Hence my calling in the big guns!

I'm looking at the information that itly09 is providing in the last post and now I'm thinking he's mixing solutions...
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
I would like to see the results of the 'net accounts' command...  this might reveal something here...    From the above link:

1. Open a CMD prompt.
2. Type:   net accounts /forcelogoff:<minutes> /domain

where <minutes> is the number of minutes after the log on time expires that a user will be forced off. The user will receive a warning message <minutes> before the forced log off.

NOTE: The default setting for the /forcelogoff switch is no. When no is set, forced logoff is prevented. To see the current setting, open a CMD prompt and type net accounts. If this returns:

Force user logoff how long after time expires?: Never ........then forced logoff is prevented. I would NOT set <minutes> to 0.


And you know it is a pleasure helping out in these tough ones...  I am honored to be invited..  :)

FE
Okay, here's my take on this:

/forcelogoff:{Minutes | no}
Sets the number of minutes to wait before ending a user's session with a server when the user account or valid logon time expires. The default value, no, prevents users from being forced to log off.

It would appear from the Help and Support Center that this forced logoff is designed to provide the administrator with a means of logging off users forcibly when their logon time has expired. So, for instance, if you have set the logon hours for a user from 9-5pm, with this command set to "no", at 5pm if the user is still logged on, he will not be forced off. But, if you set a time in minutes-- say 15-- then at 5:15 the user is kicked off.

If this is the case, as I think it is, then this doesn't address the scenario itly09 is trying to achieve.

I think maybe we are off track with this one--net accounts is not our solution.

If a solution using GPO exists, it was accepted in shivsa's post.
Problem is, I can't find the path within the GPO that shivsa posted.
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Ok..  I reread the thread and think I am on the same page now...  I do not think there is a way to 'automatically' force a logoff.   You can enforce logon hours, use the lock feature and the screensaver, and disconnect a SMB session, but MS left the logoff feature out.   Guess they did not want someone loosing their data without saving it, eh..??  

I will continue to think on this, and will post back if I find something, but I really doubt that it can be done using a GPO...

FE

Author

Commented:
Ok, first off, I want to thank you guys for helping out so much, Im pretty new to this. Ok, on KingHollis last comment you gave a scenario of logon hours being 9-5pm, then kick them off at 5:15, THIS IS EXACTLY WHAT IM TRYING TO DO ! =)

OK, if I run net accounts /forcelogoff:60 /domain, then type in "net accounts" command, the number of minutes says 60, which I set it to. But heres the strange part, when i run the  "net accounts" command 10 minutes later, the minutes gets set to 0. ????? I think Microsoft just seems to have some problems with telling you things work as stated and they really don't, then again (thats Bill for you) well anyway, I figured I hit a dead end with the "automatically logoff" feature, so im assuming it cannot be done, but would love to here some more input from you guys. Also, what is your opinion on the "winexit.scr. I tried implementing this through a GPO as a test on 1 machine, and as I stated earlier, it becomes a problem when the cloent machine does not have administrative privilages. Thank you again for all your time, hopefully we can get somewhere. Thanks =)
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Actually, I have don't have any experience with this specific app, so I am hesitant to give you advice...  :)

I believe the force logoff is only for logging off from a SMB session..  not to logoff from the client...  that is where I was getting messed up...  Sorry for the confusion..  this is the same thing as terminating a persistent connection..  For instance, this is the 2K/XP registry fix for this (the GPO configures this when enabled):

http://www.winguides.com/registry/display.php/194/

I will await another experts opinion on winexit.scr..........

FE
Systems Engineer
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok, Thats perfect, this will work, but one small favor to ask, how do i do this ?
You are the man, FE!
One small glitch with using WinExit is that the settings appear to be configured from machine to machine unless we choose the screen saver to be used through GPO, but even then, I think you can only say that everyone must use X screen saver but not then configure the settings of WinExit.

With setting the permissions on the registry key, you can do that via GPO, but I'm not sure what permission it requires for Everyone to have and I don't know that you want to set Everyone with any real permissions on your network on that particular registry key. At the very least, I think we should consider setting it to Authenticated Users. What d'ya think?
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Sounds like a winner to me KH...  logic sometimes prevails...  :)

Author

Commented:
Ok, so this sounds like the right plan, but Here goes... I never made changes to registry using GPO, do you think you could point me in the right direction, as far as the path etc. (i.e. "Domain Security Policy" > Registry.....) Thank you

Navigate to Computer Configuration>Windows Settings>Security Settings> then rightclick on Registry and select Add Key.
Navigate to the key FE gave you and Add Authenticated Users for your domain and give them Full control [I hate the way that sounds!!].
As a reminder, this is the key FE suggested: HKEY_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion

My concern still is that you will still now have to manually configure the WinExit manually on each machine ie. the time out period and the message....
Also, you may want to add this GPO to the OUs instead of the domain else this will be applied to the every computer on the domain as opposed to just the client machines.
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Ooooo..  this is getting exciting..  can't wait to find out how the ending goes...  :)
Hmmm.... looks like it already ended??

Author

Commented:
It worked !#$%^&*!!!!!!!!! OK OK So not a big deal to change the message on the individual clients because my task here is simply to Log off those damn users at night when they foget. So basically, I can set the idle time for like 90 minutes, and if they leave and foget to log off, JIMBO IS A HAPPY MAN =) Hey guys, I appreciate all the help you have given me, thanks a million !!!
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
hahahha....   Now you are the expert here..  we now know who to come to when we need advice with auto logoffs...  :)

Actually, this was a fun thread..  Hope to see you back soon..  (no problems of course..  hehe)

and thanks..

FE
Thanks for coming out to play, FE.
See you on the next one.

Good luck itly09.
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Ohh...  KingHolliis...  you put into this thread as much as I did..  go here for a share of the points...

https://www.experts-exchange.com/Operating_Systems/Win2000/Q_20881271.html

FE
Hey, you know how we do it! I love this collaborative spirit! For some reason, it seems easier to work through this stuff when you can bounce it around with others. 'tis always a pleasure to work with the likes of you, FE!
Cheers!
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Absolutely...  these are the kinds of threads that I really enjoy...  don't forget to go get your points. KH...

Author

Commented:
Ps. sorry i wasnt aware that you could spread the points out among a few people, otherwise it was a team effort. thanks again =)
Don't sweat it itly09!

Commented:
Reading through this thread reminds me of that favorite ole tv show 'the waltons'.... such a loving family.

;-)
Hey, you're part of this sappy family, Jim Bob, er, uh, kabaam!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.