myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


Force Logoff Policy

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> Active Directory and Group Policy >> Force Logoff Policy Page: [1]
Login
Message << Older Topic   Newer Topic >>
Force Logoff Policy - 11/13/2004 6:18:29 PM   
dstein


Posts: 618
Score: 5
Joined: 3/12/2003
From: Virginia, USA
Status: offline 		I have a test lab with two XP SP2 clients and a single W2K3 DC running in native mode AD. I configured two user accounts with logon hours to expire at 7:00 PM every night. Then I configured the Default Domain Policy " Force Logoff When Logon Hours Expire" but it doesnt' have any effect while the user is logged on. If they log off at 6:55 and try to log back in at (or after) 7:00 it blocks them fine. But if they stay logged on it never dumps them out. Am I missing something or is that a known problem? I ran GPRESULT and it shows the policy is being applied fine. Every other setting appears to take hold except that one.

_____________________________

software is squishy-squashy, hardware is wishy-washy
Post #: 1
RE: Force Logoff Policy - 11/14/2004 12:23:18 AM   
mgeller

 

Posts: 32
Score: 2
Joined: 11/2/2004
Status: offline 		dstein,

It only blocks them from using their credentials again on the domain (file shares, etc). It doesn' t truely force logoff due to application implications of a forced logoff.

(in reply to dstein)
Post #: 2
RE: Force Logoff Policy - 11/16/2004 9:02:39 PM   
dstein


Posts: 618
Score: 5
Joined: 3/12/2003
From: Virginia, USA
Status: offline 		Crap! Why couldn' t it do something like " shutdown -l -f -t 60" or something? What a letdown. I' m sorry but that policy label is extremely misleading. " Force Logoff" shouldn' t imply " block access to resources" . I' m not blaming you, sorry if I sound that way. I' m disappointed in how the policy is labeled.

_____________________________

software is squishy-squashy, hardware is wishy-washy

(in reply to dstein)
Post #: 3
RE: Force Logoff Policy - 11/17/2004 8:28:00 PM   
dstein


Posts: 618
Score: 5
Joined: 3/12/2003
From: Virginia, USA
Status: offline 		Is there a utility ANYWHERE that can be used to force user logoffs when their logon hours expire then?

_____________________________

software is squishy-squashy, hardware is wishy-washy

(in reply to dstein)
Post #: 4
RE: RE: Force Logoff Policy - 11/17/2004 9:13:07 PM   
dthomson


Posts: 1382
Score: 223
Joined: 6/20/2001
From: Eastern Shore Maryland, USA
Status: offline 		One thing that I thought of was: Does an entry get written to the event log of the local pc or a domain controller when a user' s hours expire? If so, a script can be used to monitor the log for those events. When an event is found, the script executes a logoff tool.

I played around briefly, but I only saw events being added to the log when the user with expired hours tried to access a network resource.

Just a thought....

_____________________________

Dan

Please rate my post

My blog
My articles
Code Repository

(in reply to dstein)
Post #: 5
RE: Force Logoff Policy - 11/18/2004 10:06:34 PM   
dstein


Posts: 618
Score: 5
Joined: 3/12/2003
From: Virginia, USA
Status: offline 		I tried something like that, but approached it as a schedule task that runs at login. It runs every 30 minutes and checks if the current time is outside the user login hours for that day, and fires " shutdown -l -f -t 15" if so. Crude and buggy but it works most of the time. I can' t believe such a hole exists in the fabric of MS security. Why even have a policy with such a name? No different than a dealer advertising a car and handing you the keys after you buy it, only to find it doesn' t have an engine.

_____________________________

software is squishy-squashy, hardware is wishy-washy

(in reply to dstein)
Post #: 6
RE: RE: Force Logoff Policy - 11/18/2004 10:21:27 PM   
dthomson


Posts: 1382
Score: 223
Joined: 6/20/2001
From: Eastern Shore Maryland, USA
Status: offline 		I like your solution and agree that this policy needs to be reworked.

_____________________________

Dan

Please rate my post

My blog
My articles
Code Repository

(in reply to dstein)
Post #: 7
RE: Force Logoff Policy - 11/20/2004 9:33:57 PM   
dstein


Posts: 618
Score: 5
Joined: 3/12/2003
From: Virginia, USA
Status: offline 		There are problems with my attempted " solution" . One is that the script I use is launched at login, and runs under the user context. That means a savvy user can kill it in Task Mgr. ALso, I find that reading the LDAP property " loginHours" and decoding the binary values into days and times produces some unpredictable results. I' ve found it more reliable (but more clunky) to shell out and dump the " NET USER username /DOMAIN" result to a text file, parse it and get the login days/times from that. It' s not *that* slow actually, but I hate doing things that way when it should be built-in already.

_____________________________

software is squishy-squashy, hardware is wishy-washy

(in reply to dstein)
Post #: 8
RE: Force Logoff Policy - 10/9/2008 9:09:07 PM   
dkujawski

 

Posts: 1
Score: 0
Joined: 10/9/2008
Status: offline 		WOW! this is a great topic.   

I have been looking for this same issue and have been trying to figure a way to make this work. I have a few people that I need to have logged off at a certain time, so I put there hours into their profiles and told the default GPO to force off with no results. Maybe there would be a way to have the client hit the server every 5 mins and then when it is not allowed to use a network resource to flag and launch the script to log it off orshut it down.

what do you think?


(in reply to dstein)
Post #: 9
RE: Force Logoff Policy - 10/10/2008 4:53:52 PM   
rbennett806


Posts: 821
Score: 13
Joined: 6/14/2006
Status: offline 		I'm not sure if this will work or not, so I'm just tossing it out there...

You could write a script that calls shutdown.exe and forces a user log off. So in rough pseudo-code...
if USER = xxxxxxxx
and
if TIME => 00:00
and
if TIME <= 99:99 then
run shutdown.exe /l
Then you could maybe use Task Scheduler to schedule the script to run every so often.

Just an idea...

(in reply to dkujawski)
Post #: 10
RE: Force Logoff Policy - 11/5/2008 1:21:40 PM   
dsteinbrecher


Posts: 463
Score: 22
Joined: 6/12/2001
Status: offline 		The only way I have ever been successfull at this was not through group policy. We had an SMS job that ran every X minutes or hours as the user, and queried AD for the information. Then based on the results we would or would not force the log off. It was a VBscript that we ran, and unfortunately I don't have that anymore. Worked great since SMS was running the job as the current logged on user.

Hoipe this helps

_____________________________

Douglas Steinbrecher
SMS Architect, Active Directory
Blieorg@Yahoo.com

myITForum Columnist

(in reply to dstein)
Post #: 11
Page:   [1]
All Forums >> [Management Products] >> Active Directory and Group Policy >> Force Logoff Policy Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.375