Link to home
Start Free TrialLog in
Avatar of Monterio
MonterioFlag for United States of America

asked on

How to log off all Windows 7 and XP users at the OU level

I have a Windows Server 2008 domain and want to log all Windows 7 and Windows XP users off (since they lock their systems), provide a 15 minute warning before it happens and apply this at the OU level.

I've read lots of posts and several KB articles, but there's many ways to do this and I'm a bit confused.  Will someone please provide a step-by-step process I need to follow to facilitate what I need done by Server 2008 GPO only??

Please no links, I need actual steps.  Thanks!
Avatar of hvillanu
hvillanu
Flag of Mexico image

Hi,
Sorry, by sites policy I have to put the copyrighted link
Check this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314999

Or follow this (tested on Windows 2003 AD Server)
First on user account must set Logon hours
Second on Policy Editor (According to MS only works on Global) go to
Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> security options -> Network Security: force logoff when hours logon expire

-hope helps-
Avatar of Monterio

ASKER

That link does not explain how to enable this process via GPO.  It is merely a method of performing a local logoff.  I am looking for clearly defined steps to do I need done as expained in the question.  Thanks anyway.
The other thing is that in your example, this logs the users off, but then they can't log back on either until log off period expires.  This is not what I need.  I need the user whose locked their workstation (CTRL-ALT-DEL) to be autmoatically logged off after a certain hour, but be able to log right back in if need be.  

There are users who work odd hours, after normal working hours.  If I follow your suggestion, the user will be logged out, but they won't ge able to log back in until their log off period has expired...correct?
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wbluna
wbluna

You could also use a free tool like SpecOps GPUpdate.  It does not have a Log off option, but it does have a reboot option.  Adds right click context menu's to AD Users and Computers.  You could click over an OU and tell the OU to reboot.  http://www.specopssoft.com/products/specops-gpupdate
Okay, I think I'm following you.  I've looked at that section of the GPO and see what it is you're talking about.  I tried using the the commands in your response in a batch file, but that didn't pan out well.  Could you give me the exact syntax for the .bat file?
My question was directed at McKnife, by the way.  WBLUNA, thanks for the suggestion but that will not work, as I do not wish to reboot the users.  As I stated, I need to simply log them off as they leave their workstations locked, which is unacceptable.
First please tell me if that task got created on the client side and what you exactly mean by "didn't pan out well".
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi, McKnife.

I tried to copy and pate that code into a batch file and it wouldn't run.  I got bad command or file name.

Bloodygonzo, having two policies to deploy two different screensavers isn't the way my boss wants to go.

I need a single solution, single method to do what I need, unfortunately.
...then you got another problem on your pc: copy and paste is out of order. Seriously, the code is alright.
The solution I mentioned is one screen saver and a single GPO solution. The only difference between windows 7 and xp is that the screen saver just works in XP and in windows 7 you need to modify permissions on a registry key and then it just works. The link I provided includes a powershell script to change the key permissions for you as well.