Link to home
Create AccountLog in
Avatar of Laszlo Denes
Laszlo DenesFlag for Canada

asked on

Physical Windows 7 (domain PC) - not RDP - GPO to log off user profiles running in background due to switch user

Hello Everyone,

I have been looking around for an easy solution to force Active Directory users off shared Windows 7 systems  (not connected by RDP, but directly on the system) who have profiles running in the background because they did a switch user and forgot to log out, because if they have applications open then it will (with all those profiles running in the background) slow down the machine. I was hoping to find a GPO setting that allows me to force oUser generated imageUser generated imageff those idle background profiles, but not the current logged in user, i.e. forcing a restart or logoff of all profiles is not an option. It should target only those idle users and should work whether someone is logged in or not, see screenshot to see what I mean. So far I have found a few very complex, multi-step suggestions with and without scripts, etc. but they all made it extremely difficult to implement, did not meet the need to not affect the logged in active user or had the potential to mess up other aspects of the system experience. Any insights appreciated, because surely someone has had to try this since W7 has been out for many years now
Avatar of William Miller
William Miller
Flag of United States of America image

To my knowledge there's no GPO that would do this for you in the background. A much simpler fix is to just have your users "Log Off" instead of using "Switch User". However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant.
Avatar of Scott Silva
It might just be easier to block the switch user entry points so they HAVE to log off...

Computers/Computer Configuration/Policies/Administrative Templates/System/Logon/Hide Entry Points for Fast user Switching.
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Laszlo Denes


William - Do you have any tech articles that state this "However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant", e.g. something from Microsoft, because I will be challenged on this i.e. proof.

Shaun - that looks good, but will it (did not see it specify it) only log off the current user who is logged in or can it be adjusted to keep the current user logged in and merely force logoff users who are 'disconnected' as they were logged in before and the current user used switch user to log in on top of the others?
I think I may have another option for you, actually. It seems you can disable the "Switch User" option entirely via GPO.

Run gpedit.msc
Navigate to
--Local Computer Policy
--Administrative Templates
--Disable "Hide entry points for Fast User Switching"

This will disable the option to "Switch User" from the Shutdown menu as well as the Welcome screen. This will effectively force them to logoff everytime and it's account independent. I'd say give this a go and see if that works as it would eliminate the problem without requiring third party usage.

Edited to correct a forgotten step.
Ah, didn't notice Scott's post above me, either. Yes, his suggestion (As well as the steps I provided) as going to be your most effective option.
Clarification - We cannot disable the Switch User option or I would have done that already :-(
Also I noticed that if I log into the system with a user and run youtube music and then lock the screen and do a switch user ... when the next user logs in the music from the previous user keeps running even though the process (iexplore) is not showing up under all user processes... surely the fact that music is still on and thus uses the browser will have an impact on the system and if I consider 10 user accounts running apps (maybe not audible music) then surely they also impact the system... I could be wrong of course...
Are you not able to disable because you don't have access to GPO on the machine? Or because someone told you not to do that? I ask because you're doing the same thing by cleaning up a mess that is so easily fixed. If it's because you can't access GPO, you can also disable Switch User via registry which I can post here as well.
It is a management issue/decision for not disabling switch user and not a technical issue, hence the need to work around it and periodically force off stale/disconnected user accounts without affecting the current logged in account or the user communities ability to utilize switch user options.
The other thing I found was this application (not tried yet)...
In that vein then, I also found this:

There's a quick readme included on the Git. This could potentially solve the issue as well, as it also provides a warning to users and can be configured for idle time. I'm not sure that this would effect disconnected profiles, however, as I've not used this myself.
Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
To go with Shaun's post above, I found this article about how to setup IdleLogoff in detail:

Upon many searches this looks like one of the better options for your situation. The problem is that Windows doesn't really differentiate between a "Disconnected" Idle Profile and an active one. That tool seems to allow that functionality. I would say deploy it to a test machine and play around with it to see if you get your intended result. Get back to us if yes or no.
I found that it worked best