• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

How to create logoff policy in Group Policy Management

I'm trying to create a logoff policy as described here...
However I am using the SBS 2003 Group Policy Management Console and the instructions for Windows 2000 don't seem relevant.
Where do I drill down in the GPMC in order to find and edit the logoff script?
1 Solution
1.If you want to do it by number of inactivity hours, then you must use the WinExit.scr Screen Saver... which CAN be configured by Group Policy.  http:Q_21566165.html

2.Here's another reference which is more specific to SBS:  http://msmvps.com/blogs/kwsupport/archive/2004/09/01/12709.aspx

3.to be a bit more specific, look at this comment:  http:Q_21566165.html#14913265

4.You can use the "loopback" processing of group policies for that.
a. In the "Public WS" OU, create a new GPO named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better).
b. Now create your additional GPO(s) for your users in this OU; especially the screen saver setting ... If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to the public workstation. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your "Public WS" GPO.
Note that you do (or "may") *not* need to put the users in (or below) the "Public WS" OU. New GPOs in that OU will be applied to *all* users logging on to that machine, even though those users are not in/below the public WS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only the "Public WS"): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply" and "Read" permission for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy

I use SBS as well. Under the GPMC, go to My Business -> Users -> SBSUsers.  Edit  the policy and go to  User Configuration -> Windows Settings -> Scripts. From there you can add the script that you want to run on user logoff.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now