[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 255
  • Last Modified:

How to log off all Windows 7 and XP users at the OU level

I have a Windows Server 2008 domain and want to log all Windows 7 and Windows XP users off (since they lock their systems), provide a 15 minute warning before it happens and apply this at the OU level.

I've read lots of posts and several KB articles, but there's many ways to do this and I'm a bit confused.  Will someone please provide a step-by-step process I need to follow to facilitate what I need done by Server 2008 GPO only??

Please no links, I need actual steps.  Thanks!
0
Monterio
Asked:
Monterio
  • 5
  • 3
  • 2
  • +2
2 Solutions
 
hvillanuCommented:
Hi,
Sorry, by sites policy I have to put the copyrighted link
Check this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314999

Or follow this (tested on Windows 2003 AD Server)
First on user account must set Logon hours
Second on Policy Editor (According to MS only works on Global) go to
Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> security options -> Network Security: force logoff when hours logon expire

-hope helps-
0
 
MonterioAuthor Commented:
That link does not explain how to enable this process via GPO.  It is merely a method of performing a local logoff.  I am looking for clearly defined steps to do I need done as expained in the question.  Thanks anyway.
0
 
MonterioAuthor Commented:
The other thing is that in your example, this logs the users off, but then they can't log back on either until log off period expires.  This is not what I need.  I need the user whose locked their workstation (CTRL-ALT-DEL) to be autmoatically logged off after a certain hour, but be able to log right back in if need be.  

There are users who work odd hours, after normal working hours.  If I follow your suggestion, the user will be logged out, but they won't ge able to log back in until their log off period has expired...correct?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
McKnifeCommented:
Hi.

You could use the user configuration - preferences section of a GPO to deploy a scheduled task domain wide that acts as the locally logged on user and uses the command
shutdown -l
to log off.
If you want to throw a message, use shutdown -l in a batch like
msg %username% Alert: forcing logoff in 60 seconds, please save your documents
ping localhost -n 60
shutdown -l

Confirmed working when issued by 2008 R2 to win7 clients.
0
 
wblunaCommented:
You could also use a free tool like SpecOps GPUpdate.  It does not have a Log off option, but it does have a reboot option.  Adds right click context menu's to AD Users and Computers.  You could click over an OU and tell the OU to reboot.  http://www.specopssoft.com/products/specops-gpupdate
0
 
MonterioAuthor Commented:
Okay, I think I'm following you.  I've looked at that section of the GPO and see what it is you're talking about.  I tried using the the commands in your response in a batch file, but that didn't pan out well.  Could you give me the exact syntax for the .bat file?
0
 
MonterioAuthor Commented:
My question was directed at McKnife, by the way.  WBLUNA, thanks for the suggestion but that will not work, as I do not wish to reboot the users.  As I stated, I need to simply log them off as they leave their workstations locked, which is unacceptable.
0
 
McKnifeCommented:
First please tell me if that task got created on the client side and what you exactly mean by "didn't pan out well".
0
 
bloodygonzoCommented:
For WinXP users you can use winexit.scr: http://support.microsoft.com/kb/314999

For Windows 7 you need to tweek a registry permission to get it to work. Please see this thread:

http://www.sevenforums.com/performance-maintenance/68519-anyone-get-winexit-scr-work-win7.html


You can download winexit.scr as part of the Windows Server 2003 Resource Kit: http://www.microsoft.com/download/en/details.aspx?id=17657
0
 
MonterioAuthor Commented:
Hi, McKnife.

I tried to copy and pate that code into a batch file and it wouldn't run.  I got bad command or file name.

Bloodygonzo, having two policies to deploy two different screensavers isn't the way my boss wants to go.

I need a single solution, single method to do what I need, unfortunately.
0
 
McKnifeCommented:
...then you got another problem on your pc: copy and paste is out of order. Seriously, the code is alright.
0
 
bloodygonzoCommented:
The solution I mentioned is one screen saver and a single GPO solution. The only difference between windows 7 and xp is that the screen saver just works in XP and in windows 7 you need to modify permissions on a registry key and then it just works. The link I provided includes a powershell script to change the key permissions for you as well.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now