Solved

automatic Logoff GPO is not working for user locked screens

Posted on 2015-02-20
6
114 Views
Last Modified: 2015-02-27
On my work network, I'm testing the following logoff GPO with a test user account:

http://blogs.technet.com/b/askds/archive/2010/08/24/forcing-afterhours-user-logoffs.aspx

I've done enough GPOs and this one is also pretty simple thing to implement....

However, The GPO works when the test user is logged in but IT DOESN'T WORK when the test user's computer screen is locked. Why is that? The ideal situation is to automatic logoff my network users after hours whether they are logged in or their screens are locked. Hopefully this is simple solution because i've played with all the options in the GPO to no avail.
0
Comment
Question by:jslaught
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:it_saige
ID: 40621528
It's because of one simple setting:Capture.JPGTo the operating system, a user that has locked their workstation is *technically* not logged in.  This is one of the nuances of fast-user switching.  If you change it so that the task runs whether the user is logged in or not, then it should work (however, this may cause errors in the event log depending upon what logoff.exe log's in cases where a user is already logged out.

-saige-
0
 

Author Comment

by:jslaught
ID: 40621664
@ saige ....

thank you for your suggestion however, when I selected "run whether user is logged on or not" option it prompted me for a password with the following message:

"a password cannot be entered for a variable user and is required when using the "run whether user is logged on or not" option".
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40621678
Correct, you have to provide credentials.  This is where you can end up on a slippery slope.  If you define a user who's credentials change then the task will fail when the user changes their password.  If you define a user's who's password never expires, then you have a potential security risk.

In either case, the configuration should be well-documented so that 6 months from now, you know why it is configured this way.

-saige-
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:jslaught
ID: 40621756
What's weird is when i setup the GPO like my original link above, it recognized the job in the local workstation task scheduler. Plus it even says that it ran but it really it did not for a user who's screen was locked. Very baffling.

Per your last comment above, for testing purposes, in the GPO, I selected "run whether user is logged on or not" and added an admin account with password. Did gpupdate /force on the server and the test machine. The local task scheduler didn't dispaly the task and it did not run.

So there is no true way of doing an automatic logoff via GPO?
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40621812
You are correct.  There is no true way to do an automatic *workstation* logoff in GPO (there are terminal services logoff policies).

Every recommendation or process is, generally speaking, a hack.

-saige-
0
 

Author Closing Comment

by:jslaught
ID: 40635173
It's been decided to do an daily automatic workstation reboot via a GPO since there is no true way to do an automatic workstation logoff via a GPO.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question