All thte PCs have suddenly started to log off, and out.  I cannot explain what has happened

Johnny
Johnny used Ask the Experts™
on
I have a small site running all windows 10 PCs inside of a windows Domain architecture.
Everything is very very clean Domain.  The site is managed via Solar Winds which is a mature product.
 The  Domain Server being used is a 2012 R2 Server product without virtualization.

The rest of the software apps are simply Accounting and Patient Dats.  Its as I have said, a very clean environment.      
About 2 weeks ago suddenly each PC started logging off of the network, and going back to lock screen from before logging ive checked everything I can think.  The GPOs are not configured to do any sort of locking out, or logging off.

Ive been racking my head trying to discover what could be the problem.  I know that Microsoft laid out a bad update about 2 weeks ago.  I wondered if maybe this had anything to do with it.    Anyway,  all the PCs are affected, and the issue just came about starting 2 weeks ago.

Any clarity of thought would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jackie Man IT Manager
Top Expert 2010

Commented:
You cannot logon to any PC now?
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
Event Logs?
NoahHardware Tester and Debugger

Commented:
Hi there! :)

You need to make sure the hosting server is available and accessible by from the Administrator accounts in the domain controller. If the problem persists, you should contact the support team since it's been a while.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Distinguished Expert 2017

Commented:
Pkease clarify as it is not clear.
At what point does the PC logoff?
Does it occur at the same time?

Or you are talking about user login automatically logs off?
Top Expert 2016

Commented:
Check your power options and screensaver options. They may have been reset after a windows update.
JohnnyIT Consultant!

Author

Commented:
Some in depth info.

The PCs all log off precisely 20 minutes after being idle.  All power settings are set appropriately and are not configure to do this.
THe users can simply log back on without any problem, but then after being idle for the same period of time the PCS again log off.
There was a time a couple of years ago when the GPO had been set to log off after an idle period.  This has been turned off long ago.
GPOs update successfully every time.  DNS is function 100%.  There are no errors within system logs as well.

Administrator accounts are not the problem.  Power settings are not the problem, nor is DNS within Active Directory.
In fact the Logs are very empty of any error condition.  As I have said solar winds is deployed, and appears to be working correctly.  

All PCs are windows 10.  As I have said, the Active directory is healthy as well.  All basic settings are set correctly.  This is a very unusual issue.  Please keep in mind that I have been working deploying PCs and networks for a little over 30 years, and have been doing this every day through out.  Hence, the basics are typically covered.  However, simple mistakes do happen, and suggestions are welcome.
Distinguished Expert 2017

Commented:
They logoff, or as David pointed out the screen saver kicks in with a requirement that the user needs to provide credentials to regain access. While both appear as a login, the one to unlock the system still has all the running Windows.

It is a HIPAA requirement that systems used do not stay open for anyone's access. A GPO with screen saver settings..
usually, in healthcare, the window of an accessible system shoukd be narrower 10 or even 5 minutes of idle times to lock.
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
It sounds more like they are locking versus logging off. As suggested, disable the screen saver and see if that stops the issue.

I didn't catch where health care requirements came into the discussion, but it is still good practice to have the PCs lock automatically after a certain amount of time.
Distinguished Expert 2017

Commented:
From the question's second paragraph/sentence, "The rest of the software apps are simply Accounting and Patient Dats. "

This time I did not miss that info during the question scan.
Pete LongTechnical Consultant

Commented:
Mmmm  
Start > run. > mmc.exe
Add the RSOP snap in
Run it and generate the data
Is anything setting lock screen settings?

On one machine Set Computer Configuration > Administrative Templates > Control Panel > Personalization. > Do not display the lock screen

Set to enabled, does the problem cease?

On an affected machine look at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization

Is there a DWORD for NoLockScreen if not create it and set it to 1

</P>
JohnnyIT Consultant!

Author

Commented:
Pete long, thank you for the technical data.  That's what i need.  I make my living and have for the past 20nyear performing consulting. This is just one of many clients
 Hence, I am the admin.   As for HIPAA , I've implemented aspiring solutions for the legislation many times from 98 on.  You data will help.  I tried to explain that I am not a novice and that I need your kind of data.  I will implement your data set and update with my results, awesome!
JohnnyIT Consultant!

Author

Commented:
I've been building networks and systems since 89.  Please provide technical data.  This is what I need.  Please avoid telling me to check my screen saver.  As for the issue at hand, my data collected indicates that its locking the PC's down.  Sorry for that lack of clarity.  The client is in Oregon and I am in Pittsburgh.  Makes the translation of data difficult.
Distinguished Expert 2017

Commented:
If the systems lock and require a login to resume, this is an option where one sets that a login is required to resume.

What is it you want to end up with? The systems never lock?

I need a clear understanding what the issue is to provide advice.

Are you able to get onto one of those systems remotely through a variety of tools including logmein, teamviewer, etc.
and check the suggestions made. power settings dealing with whether the computer is set to sleep/hibernate
screen saver settings that require a login to unlock.

Point being you have to identify what the complaint is does the user get logged off the system after 20 minutes of inactivity. Or does the user's system goes to sleep, kicks in the screen saver and requires the user to log back in to resume their prior session?


This is a domain environment, and best dealt with via the DC GPO versus local policies that are superseded by the DOMAIN GPOs.
JohnnyIT Consultant!

Author

Commented:
Right,  yes..  I am currently checking the registry settings, and running the RSOp suggestion.  Now, keep in mind that everything on the PCs in question are set through solar winds which is managing the GPOs.  Like ive said the GPOs are dropping correctly, and the domain is extremely healthy.  I do want to amend the issue in that the PCs are locking out.  all apps are continuing to run.  All basic setting are check, rechecked, and checked again.  I will report back with the results of the MMC snap in RSOP.
JohnnyIT Consultant!

Author

Commented:
Ok, Ive added the registry key, and rebooted.  Now waiting for the staff to advise weather the problem goes away.  I am waiting for a HTML file of a GPResult command that we just ran.

Its on its way, and I will attach.  there is nothing in the GPO set.  Everything is set to not defined. although, there are a couple of GPos for some mapped drives, and the like.  Nothing special.  Like I said, last year some time they had added a GPO edit to send the control alt del and then lock in order to apply HIPAA, but the docs in typical fashion began to balk.  now that GPOs setting was removed a year ago.  for a year time line everything was perfect.  Then 2 weeks ago the problem began to manifest.  My next query to my client was, are we looking at an interaction between 2012 R2 Server, and solar winds, and a Microsoft update.  His response was, well, I am managing 20 other domains running the exact same windows server version and there are no issues there.  that all well and good, but something at this site could not be working well with some of the recent updates.  I know that Microsoft had a big problem exactly 2 weeks ago, and the big complaint was that they were dragging their heals on resolving the problem.  My thoughts are that I am looking at something other than a GPO issue.

Thank all!
JohnnyIT Consultant!

Author

Commented:
Within the response I had a n update where some one asked me to enter a registry entry to see how ting progressed.  Sadly the problem persists.

Ive added a file here in HTMl format.  This is the GPresult report.  You will see that very little is being adjusted from the GPO.
Further I ran the RSOP and nothing is showing as being set again there.

Im going to turn inward and query a bunch of Admins I know from a consulting company Ive worked for from time to time.  There are easy a hundred or so admins here.  This is a baffling problem as all of the basics are set correctly and still the problem continues.

any help would be appreciated.  Thanks and see the report.
front.html
Top Expert 2016

Commented:
The winning gpo is default domain policy.. Power options are as follows:
Require a password on wakeup:      Yes      Yes
Turn off display after    15 minutes      After 10 minutes
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
So it sounds like exactly the same thing you would have discovered much earlier if you had just disabled the screen saver like Experts said earlier. The next step would have been how to then globally fix it using policy which is exactly what we ended up doing.
JohnnyIT Consultant!

Author

Commented:
I've been away from this question as I was busy converting a rite aid to a walgreens.  That took 30 plus hours now I need to resolve thos clients ongoing problem.
Top Expert 2016

Commented:
I've already given you the answer it is coming from your default domain group policy power options
Require a password on wakeup:      Yes      Yes
Turn off display after    15 minutes      After 10 minutes
JohnnyIT Consultant!

Author

Commented:
I will take this data to the admin.  However, the event happens at the 20 minute mark, and they have toggled this without any affect meaning within the default domain.  However, in the interest of leaving no stone unturned I will bring this data to the admin who has asked me to make discovery of the matter.  I will meet with the client at 1Pm pacific, 4 PM Est for me.  I will let you know by I am looking into deeper issues with the domain and problems with the sysvol at this time.  But as I said I will precept everything with an e-mail indicating that the default GPO at runtime of PGresult showed the following which I was aware, but I will bring it back to their attention.
Distinguished Expert 2017

Commented:
GPO changes can take time to propagate changes. IT is possible that the setting is being passed from several GPOs. GPMC is a way to determine the source.
If this is an issue with the computer getting Locked versus the user being LOGGED OFF. There might be something else there, i.e. there are software (3rd party) that are used to confirm user time, it is possible if that is in use and the parameters is such that if the user is inactive, screen saver kicked in for an extended period to log off the user.

Using GPMC group policy results option and generate a report for a specific system and a user who logs into it, and then look through the report and its detail you can see which policy sets the parameter David pointed out on several occassions.
Then when the policy is changed, if this setting still applies the above process when rerun will indicate which policy is controlling the setting now.
Commonly, best practices were not to make any changes to the default policies (domain or domain controllers) adjustments were recommended to be done in new policies that are so identified........

It might be that two admins one made the adjustment to the default domain GPO while someone else created a GPO for that purpose......
IT Consultant!
Commented:
IT came down to an issue with a GPO not propagating correctly.
From what the admins tell me they followed some of my directives, and the problem is resolved.

thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial