• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13271
  • Last Modified:

Auto logoff for inactive users on Windows 7 & Server 2008 R2

I have been researching how to create a security policy that auto logs users off after a certain amount of inactivity. This is for security reasons.

I have seen solutions for XP, server 2003, etc, but none for Windows 7 and Server 2008 R2.

Is there a way to do this? Preferably with a GPO?

Thanks in advance..
2 Solutions
Andrej PirmanCommented:
Hmmm.... auto LOG-OFF is maybe not the best choice. Users might lose data (unsaved documents) or computer might not log-off if some program could not be stopped.
Why not just configure auto screensaver with LOCK after wake up? That would be secure, power efficient and friendly to users.

On 2008R2 DC, under User Configuration\Policies\Administrative Templates\Control Panel\Personalization you can select Enable Screen Saver, Password Protect Screen Saver, and Screen Saver Timeout without specifying a screensaver itself, so user will be able to select screensaver, but you will enforce timeout and locking via this GPO.
Skyler KincaidNetwork/Systems EngineerCommented:
Check here:

Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Sessions > enable the settings you want to configure.

The log out on the server would make sense but for the Windows 7 workstations the screen saver time being set to the desired time and requiring a password at wakeup would be best practice on the workstations.

If you had the machines logoff the users you would be getting so many calls for lost documents and files it would be crazy. Depending on how the server works you might also get the same thing.
ChiITAuthor Commented:
Thanks both, good points. These are not terminal services workstations, so I'm not sure the terminal services solution would work but I like the screensaver option....thank you..
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

ChiITAuthor Commented:
As a follow up, do you know if when configuring auto screen saver with lock, will it use their domain username and password to unlock, and does it record it as a login in AD?
Andrej PirmanCommented:
Yes, lock of screensaver is exactly the same as login lock (...or Win+L keys combination for manual locking computer).
But in any case you can login with different credentials, be it domain login (DOMAIN\username) or local login (.\localuser), but if previous user is stil logged-in, in XP you will need to log-off previous user, and in Win7 or higher you can switch users without logging previous one off.

Regarding auditing as login in AD DC...well, I do not know, but I asume again it is the same as first login into computer. If you can track first login, then you should also be able to track login from screensaver. But that's my guess, try it.
ChiITAuthor Commented:
Thank you so much
You may also take a look at Microsoft's Security Configuration Manager Solution Accelerator framework.  It it provides good documented best practice top to bottom security baselines for the different roles that Windows Servers can be assigned.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now