?
Solved

automatic Logoff GPO is not working for user locked screens

Posted on 2015-02-20
6
Medium Priority
?
118 Views
Last Modified: 2015-02-27
On my work network, I'm testing the following logoff GPO with a test user account:

http://blogs.technet.com/b/askds/archive/2010/08/24/forcing-afterhours-user-logoffs.aspx

I've done enough GPOs and this one is also pretty simple thing to implement....

However, The GPO works when the test user is logged in but IT DOESN'T WORK when the test user's computer screen is locked. Why is that? The ideal situation is to automatic logoff my network users after hours whether they are logged in or their screens are locked. Hopefully this is simple solution because i've played with all the options in the GPO to no avail.
0
Comment
Question by:jslaught
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 34

Expert Comment

by:it_saige
ID: 40621528
It's because of one simple setting:Capture.JPGTo the operating system, a user that has locked their workstation is *technically* not logged in.  This is one of the nuances of fast-user switching.  If you change it so that the task runs whether the user is logged in or not, then it should work (however, this may cause errors in the event log depending upon what logoff.exe log's in cases where a user is already logged out.

-saige-
0
 

Author Comment

by:jslaught
ID: 40621664
@ saige ....

thank you for your suggestion however, when I selected "run whether user is logged on or not" option it prompted me for a password with the following message:

"a password cannot be entered for a variable user and is required when using the "run whether user is logged on or not" option".
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40621678
Correct, you have to provide credentials.  This is where you can end up on a slippery slope.  If you define a user who's credentials change then the task will fail when the user changes their password.  If you define a user's who's password never expires, then you have a potential security risk.

In either case, the configuration should be well-documented so that 6 months from now, you know why it is configured this way.

-saige-
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:jslaught
ID: 40621756
What's weird is when i setup the GPO like my original link above, it recognized the job in the local workstation task scheduler. Plus it even says that it ran but it really it did not for a user who's screen was locked. Very baffling.

Per your last comment above, for testing purposes, in the GPO, I selected "run whether user is logged on or not" and added an admin account with password. Did gpupdate /force on the server and the test machine. The local task scheduler didn't dispaly the task and it did not run.

So there is no true way of doing an automatic logoff via GPO?
0
 
LVL 34

Accepted Solution

by:
it_saige earned 2000 total points
ID: 40621812
You are correct.  There is no true way to do an automatic *workstation* logoff in GPO (there are terminal services logoff policies).

Every recommendation or process is, generally speaking, a hack.

-saige-
0
 

Author Closing Comment

by:jslaught
ID: 40635173
It's been decided to do an daily automatic workstation reboot via a GPO since there is no true way to do an automatic workstation logoff via a GPO.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Postmortem reporting allow us to examine mistakes in a way that focuses on the situational aspects of a failure’s mechanism and the decision-making process of individuals proximate to the failure. Read our guide on how to handle IT post-mortem repor…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question