Physical Windows 7 (domain PC) - not RDP - GPO to log off user profiles running in background due to switch user
Hello Everyone,
I have been looking around for an easy solution to force Active Directory users off shared Windows 7 systems (not connected by RDP, but directly on the system) who have profiles running in the background because they did a switch user and forgot to log out, because if they have applications open then it will (with all those profiles running in the background) slow down the machine. I was hoping to find a GPO setting that allows me to force o
ff those idle background profiles, but not the current logged in user, i.e. forcing a restart or logoff of all profiles is not an option. It should target only those idle users and should work whether someone is logged in or not, see screenshot to see what I mean. So far I have found a few very complex, multi-step suggestions with and without scripts, etc. but they all made it extremely difficult to implement, did not meet the need to not affect the logged in active user or had the potential to mess up other aspects of the system experience. Any insights appreciated, because surely someone has had to try this since W7 has been out for many years now
I have been looking around for an easy solution to force Active Directory users off shared Windows 7 systems (not connected by RDP, but directly on the system) who have profiles running in the background because they did a switch user and forgot to log out, because if they have applications open then it will (with all those profiles running in the background) slow down the machine. I was hoping to find a GPO setting that allows me to force o
ff those idle background profiles, but not the current logged in user, i.e. forcing a restart or logoff of all profiles is not an option. It should target only those idle users and should work whether someone is logged in or not, see screenshot to see what I mean. So far I have found a few very complex, multi-step suggestions with and without scripts, etc. but they all made it extremely difficult to implement, did not meet the need to not affect the logged in active user or had the potential to mess up other aspects of the system experience. Any insights appreciated, because surely someone has had to try this since W7 has been out for many years now
William Miller
To my knowledge there's no GPO that would do this for you in the background. A much simpler fix is to just have your users "Log Off" instead of using "Switch User". However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant.
It might just be easier to block the switch user entry points so they HAVE to log off...
Computers/Computer Configuration/Policies/Adm
Computers/Computer Configuration/Policies/Adm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
William - Do you have any tech articles that state this "However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant", e.g. something from Microsoft, because I will be challenged on this i.e. proof.
Shaun - that looks good, but will it (did not see it specify it) only log off the current user who is logged in or can it be adjusted to keep the current user logged in and merely force logoff users who are 'disconnected' as they were logged in before and the current user used switch user to log in on top of the others?
Shaun - that looks good, but will it (did not see it specify it) only log off the current user who is logged in or can it be adjusted to keep the current user logged in and merely force logoff users who are 'disconnected' as they were logged in before and the current user used switch user to log in on top of the others?
I think I may have another option for you, actually. It seems you can disable the "Switch User" option entirely via GPO.
Run gpedit.msc
Navigate to
--Local Computer Policy
--Administrative Templates
--System
--Logon
--Disable "Hide entry points for Fast User Switching"
This will disable the option to "Switch User" from the Shutdown menu as well as the Welcome screen. This will effectively force them to logoff everytime and it's account independent. I'd say give this a go and see if that works as it would eliminate the problem without requiring third party usage.
Edited to correct a forgotten step.
Run gpedit.msc
Navigate to
--Local Computer Policy
--Administrative Templates
--System
--Logon
--Disable "Hide entry points for Fast User Switching"
This will disable the option to "Switch User" from the Shutdown menu as well as the Welcome screen. This will effectively force them to logoff everytime and it's account independent. I'd say give this a go and see if that works as it would eliminate the problem without requiring third party usage.
Edited to correct a forgotten step.
Ah, didn't notice Scott's post above me, either. Yes, his suggestion (As well as the steps I provided) as going to be your most effective option.
ASKER
Clarification - We cannot disable the Switch User option or I would have done that already :-(
Also I noticed that if I log into the system with a user and run youtube music and then lock the screen and do a switch user ... when the next user logs in the music from the previous user keeps running even though the process (iexplore) is not showing up under all user processes... surely the fact that music is still on and thus uses the browser will have an impact on the system and if I consider 10 user accounts running apps (maybe not audible music) then surely they also impact the system... I could be wrong of course...
Also I noticed that if I log into the system with a user and run youtube music and then lock the screen and do a switch user ... when the next user logs in the music from the previous user keeps running even though the process (iexplore) is not showing up under all user processes... surely the fact that music is still on and thus uses the browser will have an impact on the system and if I consider 10 user accounts running apps (maybe not audible music) then surely they also impact the system... I could be wrong of course...
Are you not able to disable because you don't have access to GPO on the machine? Or because someone told you not to do that? I ask because you're doing the same thing by cleaning up a mess that is so easily fixed. If it's because you can't access GPO, you can also disable Switch User via registry which I can post here as well.
ASKER
It is a management issue/decision for not disabling switch user and not a technical issue, hence the need to work around it and periodically force off stale/disconnected user accounts without affecting the current logged in account or the user communities ability to utilize switch user options.
The other thing I found was this application (not tried yet)...
https://wizardsoft.nl/products/autologoff
The other thing I found was this application (not tried yet)...
https://wizardsoft.nl/products/autologoff
In that vein then, I also found this:
https://github.com/lcoulet/windows_AutoLogoff
There's a quick readme included on the Git. This could potentially solve the issue as well, as it also provides a warning to users and can be configured for idle time. I'm not sure that this would effect disconnected profiles, however, as I've not used this myself.
https://github.com/lcoulet/windows_AutoLogoff
There's a quick readme included on the Git. This could potentially solve the issue as well, as it also provides a warning to users and can be configured for idle time. I'm not sure that this would effect disconnected profiles, however, as I've not used this myself.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To go with Shaun's post above, I found this article about how to setup IdleLogoff in detail:
https://4sysops.com/archives/automatically-log-off-idle-users-in-windows/
Upon many searches this looks like one of the better options for your situation. The problem is that Windows doesn't really differentiate between a "Disconnected" Idle Profile and an active one. That tool seems to allow that functionality. I would say deploy it to a test machine and play around with it to see if you get your intended result. Get back to us if yes or no.
https://4sysops.com/archives/automatically-log-off-idle-users-in-windows/
Upon many searches this looks like one of the better options for your situation. The problem is that Windows doesn't really differentiate between a "Disconnected" Idle Profile and an active one. That tool seems to allow that functionality. I would say deploy it to a test machine and play around with it to see if you get your intended result. Get back to us if yes or no.
ASKER
I found that it worked best