We help IT Professionals succeed at work.

Forcing a Logout in Windows 2003 Small Business Server

rvfowler2
rvfowler2 used Ask the Experts™
on
I googled and also went to EE's http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21123311.html?sfQueryTermInfo=1+10+30+forc+log+out.

However, did not find my specific answer.  We are capturing login and logoff info; however, employees sometimes forget to log out.  Our boss wants us to log them out after 2 hours of idle time.  I went to active directory and selected "Disconnect from session" after two hours of idle time, but we still have the same problem.  Should I have chosen "End session" instead or will that not actually log people out either?  Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Disconnect will simply leave the session logged.   End session will actually log off the user.
Just to clarify are you speaking about Terminal Services or are you wishing to log users out from the PCs?

Author

Commented:
Am wishing to log users out of their PCs in the office that they have left logged in when they leave at night.  In addition, we would also like to be able to log users out of their remote sessions when they have left themselves logged in too long.

Author

Commented:
Regarding the technet article above, while it's valuable to know you can restrict logon hours, we don't want to do that (if someone wants to login remotely from home after hours and do work that is OK).  We just want to ensure that they are logged out when they finish and not leave themselves logged in for an inordinate amount of time.
Okay, so the "end session" will help log people off of the Terminal Servers.  I do suggest caution about forcing log offs on PCs.  If you are too strict and someone has to work late then they wont be able to.  You could try setting a log in window from something like 18:59 to 18:58 which would then log them off at 18:58 but enable them to sign right back in a minute later.  
Top Expert 2013
Commented:
It is pretty hard to log a user off their machine after x hours of inactivity. You can use CrisHanna_MVP's link to set hours of operation and force a log off at 'end of day', or any of the following to force a log off of a remote session. The following will not log off a user desktop console session
:
The remote desktop session is controlled by numerous session limits, such as time limits for disconnected sessions, active sessions, idle sessions, and action upon reaching the time limit. All of these can be set in 6 locations. You should likely check all to see if one or more is affecting the host/domain PC's. Numbers 1 and 5 are the most likely location for any set limits.
1) Domain group policy Computer configuration | Administrative templates | Windows components | Terminal Services | Sessions |....
2) Domain group policy User configuration | Administrative templates | Windows components | Terminal Services | Sessions |....
3) Local computer policy Computer configuration | Administrative templates | Windows components | Terminal Services | Sessions |....
4) Local computer policy User configuration | Administrative templates | Windows components | Terminal Services | Sessions |....
5) User’s profile in Active Directory. See: Active Directory Users and Computers | User profile | Sessions
6) If a terminal server, see also: on the terminal server, Terminal Services Configuration console | Connections | right click on RDP-Tcp in the right hand window and choose properties | Sessions |….

Other than that you need to use a tool like PSshutdown with the -o (logoff) option
http://technet.microsoft.com/en-us/sysinternals/bb897541.aspx
To automate this you could use PSLoggedOn and write a script to parse the results and run the log off script, but I am afraid scripting like that is outside of my field of expertise.

Personally I would use a combination of group policy and Cris's suggestion.

Author

Commented:
OK, so I'm a neophyte on the Server.  But it seems that you're saying that the button I'm checking in the User's profile on Active Directory only shuts them off of their remote session.  Our main problem is with people not shutting off their PCs when the leave at night.  Seems like their must be an easier way of logging people off than setting time limits, but I like Ran's suggestion of logging them out at a specific time then allowing them to log back in 1 minute later.  I could leave the Admins out of course and everyone is usually gone by 7:00pm.  What is the industry standard here?
DonNetwork Administrator
Commented:
Top Expert 2013
Commented:
>>"the button I'm checking in the User's profile on Active Directory only shuts them off of their remote session. "
Correct

Why do they have to log out? Not saying you are wrong in your thinking but might help us to address it.
We have had companies where we just force a reboot of all machines at a given time (like 10:00pm), however that was more in Win2K and pre WSUS days. That or a forced log of of all machines is quite easy to do.

I do recommend if not a forced logoff a screen saver lock is important. You don't want night cleaning staff to find logged on computers.
Cris HannaSr IT Support Engineer
Commented:
There is no industry standard as far as logout times, etc.   If users don't logout, the screensaver should kick in and require a password to get back on the console.  That secures the data that may have been open on computer when they left (assuming the password is not taped to the monitor)   I don't care whether they logoff or not unless there is a piece of software that is limited to say 3 users (like QB).
 
 

Author

Commented:
Oh, way back in the beginning of my post I wasn't quite clear:  because we are capturing login and logoff info, if we don't force logoffs, I don't receive accurate info in my csv file.  We are capturing this info from the following vbs code, then opening an excel sheet and macro that formats the data into a Pivot Table for final presentation to the boss.

'---------------------------------------
' Script to track logon and logoff events
' 1  03.June.2010  robber
''''''''''''''''''''''''''''''''''
' Constants for opening files
''''''''''''''''''''''''''''''''''
Const OpenFileForReading = 1
Const OpenFileForWriting = 2
Const OpenFileForAppending = 8
      dim a, src , sVers
      dim fs
      
'--- set up files & log ---------
'change to suit domain setup... the sysvol area can be written to by startup & logon scripts
const LogFldr="\\sbsunited\userLog$\"      
lf = "logonEvents.csv"

      actionX = WScript.Arguments(0)  'assume the first argument is the action being performed'
      
      sVers=""

      'Format time as 12 hour periods
      If Hour(now()) >= 12 Then
                halfDay = "PM"
            newHour = Hour(now())-12
      
      Else
                halfDay = "AM"
            newHour= Hour(now())
      
      End If

      If newHour=0 Then
            newHour=1
      End If
   
    'configure a consistent , orderable date time
      datetime=Right("0" & Month(now()), 2) & "/" & Right("0" & Day(now()), 2) & "/" & Year(now()) & "," & Right("0" & newHour, 2) & ":" & Right("0" & Minute(now()), 2) & " " & halfDay

      ' Create the Shell etc objects
    Set oShell = CreateObject("WScript.Shell")
      Set oNet = CreateObject("WScript.Network")
      Set oFSO = CreateObject("Scripting.FileSystemObject")  
      
      ' write to Log
      Set flf = oFSO.GetFile(LogFldr & lf)
      Set tslf = flf.OpenAsTextStream(OpenFileForAppending)
        
      tslf.WriteLine ( onet.UserName & "," & Onet.ComputerName  & "," & WeekdayName(Weekday(Now)) & "," & Datetime & "," & ActionX)
      tslf.Close
'------ end ---
      set onet = nothing
      set oShell = nothing
      Set oFSO = Nothing

wscript.quit
Cris HannaSr IT Support Engineer
Commented:
just curious what the business value of tracking and doing all that is?  Are you using this for time and attendance/payroll?
DonNetwork Administrator

Commented:
Try the Winexit Screensaver

Author

Commented:
Not sure of business value; bossed asked for it; possibly because he wants to track hours logged in vs. hours they actually report (we still have people manually reporting their hours by emailing the Finance Mgr.  We're a mid-sized company with only about 30 employees.)

Looking up Winexit Screensaver.  Thanks.

My last comment before awarding points unless other clarifying questions out there.
Top Expert 2013
Commented:
I would have to agree, I fail to see the value of this information. A user comes in the office, logs on and then leaves for coffee for 2 hours. I just cant see it being an accurate representation of anything. There are numerous programs that will log specific activity such as applications used, time spent on those application, even time spent on a document with that application. Perhaps something like that might be more value.  If not, using dstewartjr's suggestion of the winexit screen saver is likely your best bet, assuming it still works with Vista and Win7. That is an old NT utility, but worked well and still worked on XP.

Author

Commented:
One consideration is that he always wants something that is free and second is that he possibly just wants the login and logout info, when they actually get here and when they leave.  But I see your point as to the lack of accuracy in total hours worked.  Any of these applications you mention that logs applications used and time free?
Top Expert 2013
Commented:
No the applications all require a license for each workstation. The ones I have used run about $60/ workstation but also probably provide much more information than you need. You do need to be carefully when using these applications as at one point you cross a line with privacy regulations. You are effectively spying on employees. Many areas require the users sign an agreement indicating they are fully aware of any monitoring done by the employer and agree to it.

Author

Commented:
Thanks for all your help.  Will discuss purpose with the boss and look into these options.