I need to force my users to log off every night for x amount of minutes. How can I do this without forcing them to stay logged out for an hour?

I am running Active Directory on Windows 2003 domain controllers in native mode. I need to force my users to log off every night. Now I know there is a LOGON HOUR policy but  I do not want to restrict them for a whole hour. I just need them to log out and back on so that any new login scripts would be applied to them. I dont like users staying logged in for weeks at a time and only locking their keyboards. Now one thing about this .... I do not want to do this with a script that runs on every single pc or have to run a shutdown command from a remote computer against every computer. The WinExit scr will not work for me either. I want users to be able to use whatever screen saver they want. This needs to be controlled centrally somehow. Any ideas on how to accomplish this. I cant believe MS only allows you to block a user for one hour incements. So... how can I force a logoff?
dkittsAsked:
Who is Participating?
 
dkittsConnect With a Mentor Author Commented:
Neither comment helped me. I am closing this ticket. What I did to resolve this was to create an "AT" command to do a nightly reboot. Users did not have local admin rights to ad this command so I had to do a runas to get this to work. I passed the runas pw thru via sanur.exe.
0
 
Henrik JohanssonSystems engineerCommented:
The native solution for your problem is to use logon hours combined with the following policy setting enabled.
Computer Configuration\Windows Settings\Local Policies\Security Options\Network Security: Force logoff when logon hours expire

If it's a Terminal Server, you can configure max session lengths to be max 24 hours, but this is as I know not possibly except of the usage of WinExit.scr

If you don't want to use neither logon hours or winexit.scr, you nead to implement some kind of scripting to do what you want. Either execute logoff.exe through a scheduled task on each client or target each client remotely from a script executed on a server.

Just curious, but why is it so critical to have the logon scripts to be executed every day?
0
 
dkittsAuthor Commented:
its not mission critical that the logon scripts run every day. sometimes thhough I will through an update or patch of some sort in to the login script. we also have a scan that runs at logon to do a hardware and software inventory. it would just be nice to know that stuff does get run everyday.
im going to leave this open a few days and see if someone has any other ideas.

thanks
0
 
Henrik JohanssonSystems engineerCommented:
For the patch management, use automatic updates connecting to WSUS combined with GPOs instead of distributing patches with logon script (unnecessary administrative permissions for the users).

For the inventory, it sounds like you nead to implement MS SMS. It cost money, but will do the job for you with a distributed agent collecting hardware and software inventory. Other features of SMS is remote control and software installation.
0
All Courses

From novice to tech pro — start learning today.