Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

automatic Logoff GPO is not working for user locked screens

Posted on 2015-02-20
6
Medium Priority
?
121 Views
Last Modified: 2015-02-27
On my work network, I'm testing the following logoff GPO with a test user account:

http://blogs.technet.com/b/askds/archive/2010/08/24/forcing-afterhours-user-logoffs.aspx

I've done enough GPOs and this one is also pretty simple thing to implement....

However, The GPO works when the test user is logged in but IT DOESN'T WORK when the test user's computer screen is locked. Why is that? The ideal situation is to automatic logoff my network users after hours whether they are logged in or their screens are locked. Hopefully this is simple solution because i've played with all the options in the GPO to no avail.
0
Comment
Question by:jslaught
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:it_saige
ID: 40621528
It's because of one simple setting:Capture.JPGTo the operating system, a user that has locked their workstation is *technically* not logged in.  This is one of the nuances of fast-user switching.  If you change it so that the task runs whether the user is logged in or not, then it should work (however, this may cause errors in the event log depending upon what logoff.exe log's in cases where a user is already logged out.

-saige-
0
 

Author Comment

by:jslaught
ID: 40621664
@ saige ....

thank you for your suggestion however, when I selected "run whether user is logged on or not" option it prompted me for a password with the following message:

"a password cannot be entered for a variable user and is required when using the "run whether user is logged on or not" option".
0
 
LVL 35

Expert Comment

by:it_saige
ID: 40621678
Correct, you have to provide credentials.  This is where you can end up on a slippery slope.  If you define a user who's credentials change then the task will fail when the user changes their password.  If you define a user's who's password never expires, then you have a potential security risk.

In either case, the configuration should be well-documented so that 6 months from now, you know why it is configured this way.

-saige-
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jslaught
ID: 40621756
What's weird is when i setup the GPO like my original link above, it recognized the job in the local workstation task scheduler. Plus it even says that it ran but it really it did not for a user who's screen was locked. Very baffling.

Per your last comment above, for testing purposes, in the GPO, I selected "run whether user is logged on or not" and added an admin account with password. Did gpupdate /force on the server and the test machine. The local task scheduler didn't dispaly the task and it did not run.

So there is no true way of doing an automatic logoff via GPO?
0
 
LVL 35

Accepted Solution

by:
it_saige earned 2000 total points
ID: 40621812
You are correct.  There is no true way to do an automatic *workstation* logoff in GPO (there are terminal services logoff policies).

Every recommendation or process is, generally speaking, a hack.

-saige-
0
 

Author Closing Comment

by:jslaught
ID: 40635173
It's been decided to do an daily automatic workstation reboot via a GPO since there is no true way to do an automatic workstation logoff via a GPO.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Shawn
IT teams define success as solving problems quickly. To enable ITSM modernization we have to think of adopting the tools and methods that will enable resolution of ITSM issues more quickly.
Web hosting control panels were first developed to make it faster and easier for most users to set up and operate websites. The graphical user interface (GUI) allows users to perform tasks by pointing and clicking rather than typing highly specific…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question