• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 59
  • Last Modified:

Physical Windows 7 (domain PC) - not RDP - GPO to log off user profiles running in background due to switch user

Hello Everyone,

I have been looking around for an easy solution to force Active Directory users off shared Windows 7 systems  (not connected by RDP, but directly on the system) who have profiles running in the background because they did a switch user and forgot to log out, because if they have applications open then it will (with all those profiles running in the background) slow down the machine. I was hoping to find a GPO setting that allows me to force oswitch-users-logged-inswitch-users-logged-inff those idle background profiles, but not the current logged in user, i.e. forcing a restart or logoff of all profiles is not an option. It should target only those idle users and should work whether someone is logged in or not, see screenshot to see what I mean. So far I have found a few very complex, multi-step suggestions with and without scripts, etc. but they all made it extremely difficult to implement, did not meet the need to not affect the logged in active user or had the potential to mess up other aspects of the system experience. Any insights appreciated, because surely someone has had to try this since W7 has been out for many years now
0
Laszlo Denes
Asked:
Laszlo Denes
2 Solutions
 
William MillerInventory/IT ConsultantCommented:
To my knowledge there's no GPO that would do this for you in the background. A much simpler fix is to just have your users "Log Off" instead of using "Switch User". However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant.
0
 
Scott SilvaNetwork AdministratorCommented:
It might just be easier to block the switch user entry points so they HAVE to log off...

Computers/Computer Configuration/Policies/Administrative Templates/System/Logon/Hide Entry Points for Fast user Switching.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Add a startup script to idlelogoff.exe, works like a charm
https://www.puryear-it.com/force-logoff-idle-users-idlelogoff-exe
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Laszlo DenesAuthor Commented:
William - Do you have any tech articles that state this "However, those disconnected profiles shouldn't have any effect on the operation of the current profile as their resources are dormant", e.g. something from Microsoft, because I will be challenged on this i.e. proof.

Shaun - that looks good, but will it (did not see it specify it) only log off the current user who is logged in or can it be adjusted to keep the current user logged in and merely force logoff users who are 'disconnected' as they were logged in before and the current user used switch user to log in on top of the others?
0
 
William MillerInventory/IT ConsultantCommented:
I think I may have another option for you, actually. It seems you can disable the "Switch User" option entirely via GPO.

Run gpedit.msc
Navigate to
--Local Computer Policy
--Administrative Templates
--System
--Logon
--Disable "Hide entry points for Fast User Switching"


This will disable the option to "Switch User" from the Shutdown menu as well as the Welcome screen. This will effectively force them to logoff everytime and it's account independent. I'd say give this a go and see if that works as it would eliminate the problem without requiring third party usage.

Edited to correct a forgotten step.
0
 
William MillerInventory/IT ConsultantCommented:
Ah, didn't notice Scott's post above me, either. Yes, his suggestion (As well as the steps I provided) as going to be your most effective option.
0
 
Laszlo DenesAuthor Commented:
Clarification - We cannot disable the Switch User option or I would have done that already :-(
Also I noticed that if I log into the system with a user and run youtube music and then lock the screen and do a switch user ... when the next user logs in the music from the previous user keeps running even though the process (iexplore) is not showing up under all user processes... surely the fact that music is still on and thus uses the browser will have an impact on the system and if I consider 10 user accounts running apps (maybe not audible music) then surely they also impact the system... I could be wrong of course...
0
 
William MillerInventory/IT ConsultantCommented:
Are you not able to disable because you don't have access to GPO on the machine? Or because someone told you not to do that? I ask because you're doing the same thing by cleaning up a mess that is so easily fixed. If it's because you can't access GPO, you can also disable Switch User via registry which I can post here as well.
0
 
Laszlo DenesAuthor Commented:
It is a management issue/decision for not disabling switch user and not a technical issue, hence the need to work around it and periodically force off stale/disconnected user accounts without affecting the current logged in account or the user communities ability to utilize switch user options.
The other thing I found was this application (not tried yet)...
https://wizardsoft.nl/products/autologoff
0
 
William MillerInventory/IT ConsultantCommented:
In that vein then, I also found this:

https://github.com/lcoulet/windows_AutoLogoff

There's a quick readme included on the Git. This could potentially solve the issue as well, as it also provides a warning to users and can be configured for idle time. I'm not sure that this would effect disconnected profiles, however, as I've not used this myself.
0
 
Laszlo DenesAuthor Commented:
appreciate that but seems to focus on "a shared machine using terminal services or RDP"
0
 
William MillerInventory/IT ConsultantCommented:
To go with Shaun's post above, I found this article about how to setup IdleLogoff in detail:

https://4sysops.com/archives/automatically-log-off-idle-users-in-windows/

Upon many searches this looks like one of the better options for your situation. The problem is that Windows doesn't really differentiate between a "Disconnected" Idle Profile and an active one. That tool seems to allow that functionality. I would say deploy it to a test machine and play around with it to see if you get your intended result. Get back to us if yes or no.
0
 
Laszlo DenesAuthor Commented:
I found that it worked best
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now