Solved

automatic Logoff GPO is not working for user locked screens

Posted on 2015-02-20
6
113 Views
Last Modified: 2015-02-27
On my work network, I'm testing the following logoff GPO with a test user account:

http://blogs.technet.com/b/askds/archive/2010/08/24/forcing-afterhours-user-logoffs.aspx

I've done enough GPOs and this one is also pretty simple thing to implement....

However, The GPO works when the test user is logged in but IT DOESN'T WORK when the test user's computer screen is locked. Why is that? The ideal situation is to automatic logoff my network users after hours whether they are logged in or their screens are locked. Hopefully this is simple solution because i've played with all the options in the GPO to no avail.
0
Comment
Question by:jslaught
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:it_saige
ID: 40621528
It's because of one simple setting:Capture.JPGTo the operating system, a user that has locked their workstation is *technically* not logged in.  This is one of the nuances of fast-user switching.  If you change it so that the task runs whether the user is logged in or not, then it should work (however, this may cause errors in the event log depending upon what logoff.exe log's in cases where a user is already logged out.

-saige-
0
 

Author Comment

by:jslaught
ID: 40621664
@ saige ....

thank you for your suggestion however, when I selected "run whether user is logged on or not" option it prompted me for a password with the following message:

"a password cannot be entered for a variable user and is required when using the "run whether user is logged on or not" option".
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40621678
Correct, you have to provide credentials.  This is where you can end up on a slippery slope.  If you define a user who's credentials change then the task will fail when the user changes their password.  If you define a user's who's password never expires, then you have a potential security risk.

In either case, the configuration should be well-documented so that 6 months from now, you know why it is configured this way.

-saige-
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jslaught
ID: 40621756
What's weird is when i setup the GPO like my original link above, it recognized the job in the local workstation task scheduler. Plus it even says that it ran but it really it did not for a user who's screen was locked. Very baffling.

Per your last comment above, for testing purposes, in the GPO, I selected "run whether user is logged on or not" and added an admin account with password. Did gpupdate /force on the server and the test machine. The local task scheduler didn't dispaly the task and it did not run.

So there is no true way of doing an automatic logoff via GPO?
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40621812
You are correct.  There is no true way to do an automatic *workstation* logoff in GPO (there are terminal services logoff policies).

Every recommendation or process is, generally speaking, a hack.

-saige-
0
 

Author Closing Comment

by:jslaught
ID: 40635173
It's been decided to do an daily automatic workstation reboot via a GPO since there is no true way to do an automatic workstation logoff via a GPO.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now