Force Logoff Policy

Force Logoff Policy (Full Version)

All Forums >> [Management Products] >> Active Directory and Group Policy

Message

dstein -> Force Logoff Policy (11/13/2004 6:18:29 PM)
I have a test lab with two XP SP2 clients and a single W2K3 DC running in native mode AD. I configured two user accounts with logon hours to expire at 7:00 PM every night. Then I configured the Default Domain Policy " Force Logoff When Logon Hours Expire" but it doesnt' have any effect while the user is logged on. If they log off at 6:55 and try to log back in at (or after) 7:00 it blocks them fine. But if they stay logged on it never dumps them out. Am I missing something or is that a known problem? I ran GPRESULT and it shows the policy is being applied fine. Every other setting appears to take hold except that one.

mgeller -> RE: Force Logoff Policy (11/14/2004 12:23:18 AM)
dstein, It only blocks them from using their credentials again on the domain (file shares, etc). It doesn' t truely force logoff due to application implications of a forced logoff.

dstein -> RE: Force Logoff Policy (11/16/2004 9:02:39 PM)
Crap! Why couldn' t it do something like " shutdown -l -f -t 60" or something? What a letdown. I' m sorry but that policy label is extremely misleading. " Force Logoff" shouldn' t imply " block access to resources" . I' m not blaming you, sorry if I sound that way. I' m disappointed in how the policy is labeled.

dstein -> RE: Force Logoff Policy (11/17/2004 8:28:00 PM)
Is there a utility ANYWHERE that can be used to force user logoffs when their logon hours expire then?

dthomson -> RE: RE: Force Logoff Policy (11/17/2004 9:13:07 PM)
One thing that I thought of was: Does an entry get written to the event log of the local pc or a domain controller when a user' s hours expire? If so, a script can be used to monitor the log for those events. When an event is found, the script executes a logoff tool. I played around briefly, but I only saw events being added to the log when the user with expired hours tried to access a network resource. Just a thought....

dstein -> RE: Force Logoff Policy (11/18/2004 10:06:34 PM)
I tried something like that, but approached it as a schedule task that runs at login. It runs every 30 minutes and checks if the current time is outside the user login hours for that day, and fires " shutdown -l -f -t 15" if so. Crude and buggy but it works most of the time. I can' t believe such a hole exists in the fabric of MS security. Why even have a policy with such a name? No different than a dealer advertising a car and handing you the keys after you buy it, only to find it doesn' t have an engine.

dthomson -> RE: RE: Force Logoff Policy (11/18/2004 10:21:27 PM)
I like your solution and agree that this policy needs to be reworked.

dstein -> RE: Force Logoff Policy (11/20/2004 9:33:57 PM)
There are problems with my attempted " solution" . One is that the script I use is launched at login, and runs under the user context. That means a savvy user can kill it in Task Mgr. ALso, I find that reading the LDAP property " loginHours" and decoding the binary values into days and times produces some unpredictable results. I' ve found it more reliable (but more clunky) to shell out and dump the " NET USER username /DOMAIN" result to a text file, parse it and get the login days/times from that. It' s not that slow actually, but I hate doing things that way when it should be built-in already.

dkujawski -> RE: Force Logoff Policy (10/9/2008 9:09:07 PM)
WOW! this is a great topic. I have been looking for this same issue and have been trying to figure a way to make this work. I have a few people that I need to have logged off at a certain time, so I put there hours into their profiles and told the default GPO to force off with no results. Maybe there would be a way to have the client hit the server every 5 mins and then when it is not allowed to use a network resource to flag and launch the script to log it off orshut it down. what do you think?

rbennett806 -> RE: Force Logoff Policy (10/10/2008 4:53:52 PM)
I'm not sure if this will work or not, so I'm just tossing it out there... You could write a script that calls shutdown.exe and forces a user log off. So in rough pseudo-code... if USER = xxxxxxxx and if TIME => 00:00 and if TIME <= 99:99 then run shutdown.exe /l Then you could maybe use Task Scheduler to schedule the script to run every so often. Just an idea...

dsteinbrecher -> RE: Force Logoff Policy (11/5/2008 1:21:40 PM)
The only way I have ever been successfull at this was not through group policy. We had an SMS job that ran every X minutes or hours as the user, and queried AD for the information. Then based on the results we would or would not force the log off. It was a VBscript that we ran, and unfortunately I don't have that anymore. Worked great since SMS was running the job as the current logged on user. Hoipe this helps

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.34375