Physical Windows 7 (domain PC) - not RDP - GPO to log off user profiles running in background due to switch user

Hello Everyone,

I have been looking around for an easy solution to force Active Directory users off shared Windows 7 systems  (not connected by RDP, but directly on the system) who have profiles running in the background because they did a switch user and forgot to log out, because if they have applications open then it will (with all those profiles running in the background) slow down the machine. I was hoping to find a GPO setting that allows me to force oswitch-users-logged-inswitch-users-logged-inff those idle background profiles, but not the current logged in user, i.e. forcing a restart or logoff of all profiles is not an option. It should target only those idle users and should work whether someone is logged in or not, see screenshot to see what I mean. So far I have found a few very complex, multi-step suggestions with and without scripts, etc. but they all made it extremely difficult to implement, did not meet the need to not affect the logged in active user or had the potential to mess up other aspects of the system experience. Any insights appreciated, because surely someone has had to try this since W7 has been out for many years now
Laszlo DenesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William MillerIT SpecialistCommented:
To my knowledge there's no GPO that would do this for you in the background. A much simpler fix is to just have your users "Log Off" instead of using "Switch User". However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant.
Scott SilvaNetwork AdministratorCommented:
It might just be easier to block the switch user entry points so they HAVE to log off...

Computers/Computer Configuration/Policies/Administrative Templates/System/Logon/Hide Entry Points for Fast user Switching.
Shaun VermaakTechnical SpecialistCommented:
Add a startup script to idlelogoff.exe, works like a charm
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Laszlo DenesAuthor Commented:
William - Do you have any tech articles that state this "However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant", e.g. something from Microsoft, because I will be challenged on this i.e. proof.

Shaun - that looks good, but will it (did not see it specify it) only log off the current user who is logged in or can it be adjusted to keep the current user logged in and merely force logoff users who are 'disconnected' as they were logged in before and the current user used switch user to log in on top of the others?
William MillerIT SpecialistCommented:
I think I may have another option for you, actually. It seems you can disable the "Switch User" option entirely via GPO.

Run gpedit.msc
Navigate to
--Local Computer Policy
--Administrative Templates
--Disable "Hide entry points for Fast User Switching"

This will disable the option to "Switch User" from the Shutdown menu as well as the Welcome screen. This will effectively force them to logoff everytime and it's account independent. I'd say give this a go and see if that works as it would eliminate the problem without requiring third party usage.

Edited to correct a forgotten step.
William MillerIT SpecialistCommented:
Ah, didn't notice Scott's post above me, either. Yes, his suggestion (As well as the steps I provided) as going to be your most effective option.
Laszlo DenesAuthor Commented:
Clarification - We cannot disable the Switch User option or I would have done that already :-(
Also I noticed that if I log into the system with a user and run youtube music and then lock the screen and do a switch user ... when the next user logs in the music from the previous user keeps running even though the process (iexplore) is not showing up under all user processes... surely the fact that music is still on and thus uses the browser will have an impact on the system and if I consider 10 user accounts running apps (maybe not audible music) then surely they also impact the system... I could be wrong of course...
William MillerIT SpecialistCommented:
Are you not able to disable because you don't have access to GPO on the machine? Or because someone told you not to do that? I ask because you're doing the same thing by cleaning up a mess that is so easily fixed. If it's because you can't access GPO, you can also disable Switch User via registry which I can post here as well.
Laszlo DenesAuthor Commented:
It is a management issue/decision for not disabling switch user and not a technical issue, hence the need to work around it and periodically force off stale/disconnected user accounts without affecting the current logged in account or the user communities ability to utilize switch user options.
The other thing I found was this application (not tried yet)...
William MillerIT SpecialistCommented:
In that vein then, I also found this:

There's a quick readme included on the Git. This could potentially solve the issue as well, as it also provides a warning to users and can be configured for idle time. I'm not sure that this would effect disconnected profiles, however, as I've not used this myself.
Laszlo DenesAuthor Commented:
appreciate that but seems to focus on "a shared machine using terminal services or RDP"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
William MillerIT SpecialistCommented:
To go with Shaun's post above, I found this article about how to setup IdleLogoff in detail:

Upon many searches this looks like one of the better options for your situation. The problem is that Windows doesn't really differentiate between a "Disconnected" Idle Profile and an active one. That tool seems to allow that functionality. I would say deploy it to a test machine and play around with it to see if you get your intended result. Get back to us if yes or no.
Laszlo DenesAuthor Commented:
I found that it worked best
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.