Force Logoff if Inactive
Harry Paratestes
Anyone know of tool/script/CMD that will automagically log
off lusers after timeout has expired? Situation we have
is lusers habitually locking their workstations and never
logging off. Most recently, we've found out that a couple
lusers from a remote office are currently on-travel and
left their workstations powered on with screens locked.
We have password locked screensaver implemented to kick
off after 15 minutes of inactivity. We'd like ability to
subsequently force logoffs after 24-36 hours of inactivity
(weekends, business travel, etc.). We do NOT want to
change our current screensaver set up (i.e. don't want to
use Winexit.scr or something similar).
I looked at Winexit.scr and also for a GPO security
setting. No luck on GPO and Winexit didn't seem to do
what I wanted. Don't want to implement the "working
hours" GPO either which would log off or lockout lusers
during certain hours of the day (we occassionally have
shift work, also some lusers travel to various timezones).
Summary: Luser locks workstation or password-protected
screensaver kicks in. If no activity for 24hrs, luser
gets bounced (and/or system reboots).
Any tips? Is this even feasible?
HP sends
Carey Frisch [MVP]
check next to "on resume, display Welcome Screen". This will
log the user off when the screensaver initiates.
--
Carey Frisch
Microsoft MVP
Windows XP Shell/User
---------------------------------------------------------------------------------------------
"Harry Paratestes" <anon...@discussions.microsoft.com> wrote in message:
news:046301c3ab10$3dba6cc0$a401...@phx.gbl...
Harry Paratestes
My goal is to logout a luser after 24 hours of
inactivity. I want the locked screensaver to come on
after 15 minutes, and stay on until either (1) user
unlocks workstation or (2) 24 hours of inactivity
condition has occured, which ever happens first.
Any thoughts?
HP
>.
>
Roger Abell
triggered by that checkbox. It causes the user to
have to authenticate in via Welcome screen in order
to resume their session. It does not log the account
off, but rather has treated it much as a switch-user
action.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Carey Frisch [MVP]" <mrxp...@nospamyahoo.com> wrote in message
news:%23NSQ3Fx...@tk2msftngp13.phx.gbl...
Steven L Umbach
after a certain period of idle time - up to 999 minutes though I don't know
of a good way offhand to implement it on a large number of computers. ---
Steve
"Harry Paratestes" <anon...@discussions.microsoft.com> wrote in message
news:046301c3ab10$3dba6cc0$a401...@phx.gbl...
>
Harry Paratestes
Thanks, read something similar on a bulletin board after my ng post. The
"scheduling" of the logoff was kind of the first thought we had. We may end
up just having to go with that. In a perfect world, we'd like an "event
trigger" where logoff only occurs if certain condition exists (i.e.
inactivity after X# of hours/minutes). I've found off-the-shelf products
that can do exactly this, so I'm thinking it can be done, not to mention our
IT budget is a joke and the thought of buying these products is OOQ. Out of
frustration, we're moving away from GPO or ResKit tools and towards
script-writing. We're thinking to implement the LOGOFF.EXE tool, but not
sure what mechanism is available to determine 'idle time' on the
workstation. And when inactivity condition = TRUE, how does the DC trigger
the LOGOFF.EXE on the workstation / luser account?
We currently have about 30 workstations on-site, with another 50-75
scattered around at remote sites.
Thanks again,
HP
"Steven L Umbach" <sumb...@ameritech.net> wrote in message
news:crstb.2199$4X4.5...@newssrv26.news.prodigy.com...
Torgeir Bakken (MVP)
> Thanks, read something similar on a bulletin board after my ng post. The
> "scheduling" of the logoff was kind of the first thought we had. We may end
> up just having to go with that. In a perfect world, we'd like an "event
> trigger" where logoff only occurs if certain condition exists (i.e.
> inactivity after X# of hours/minutes). I've found off-the-shelf products
> that can do exactly this, so I'm thinking it can be done, not to mention our
> IT budget is a joke and the thought of buying these products is OOQ. Out of
> frustration, we're moving away from GPO or ResKit tools and towards
> script-writing. We're thinking to implement the LOGOFF.EXE tool, but not
> sure what mechanism is available to determine 'idle time' on the
> workstation. And when inactivity condition = TRUE, how does the DC trigger
> the LOGOFF.EXE on the workstation / luser account?
Hi
You can't do this detection from the DC, it will have no idea about if the
workstations are idle or not, you need to do this on the local computer.
I don't know of any way with a script to determine idle time, but the solution
Steve suggested should work, creating a Scheduled Tasks on every computer that
kicks in after x minutes of idle time and runs a logoff script/program.
--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter
Harry Paratestes
Just now I checked out the Scheduled Task Wizard on W2K client. I believe I
could do what you're suggesting, but the missing piece to the puzzle is the
'inactivity timer'. Did a little more research on this and it dawned on me
that there MUST be an internal clock/process/service/daemon running on W2K
that determines inactivity. No surprise here, screensaver and Power Scheme
functions [Control Panel/Power Options] obviously are triggered by some
keypad or mouse activity timer. Terminal services on W2K Server has
inactivity function too (bounces users if not activitely using TS).
If anyone has insight on the process/service/daemon that determines keyboard
and/or mouse inactivity on W2K and how to exploit it, any guidance or points
will be much appreciated.
HP sends
"Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
news:3FB68D9C...@hydro.com...
>"Steven L Umbach" <sumb...@ameritech.net> wrote in message
>news:crstb.2199$4X4.5...@newssrv26.news.prodigy.com...
>
>
> You might look at using Scheduled Tasks to run logoff.exe or shutdown.exe
> after a certain period of idle time - up to 999 minutes though I don't
know
Harry Paratestes
Think I'm getting warm.....
http://www.codeproject.com/dll/trackuseridle.asp
"Harry Paratestes" <har...@newz-grp-reader.com> wrote in message
news:OMfe868...@TK2MSFTNGP11.phx.gbl...
Torgeir Bakken (MVP)
> Torgeir Bakken (MVP) wrote:
>
> > I don't know of any way with a script to determine idle time, but the
> > solution Steve suggested should work, creating a Scheduled Tasks on
> > every computer that kicks in after x minutes of idle time and runs a
> > logoff script/program.
>
> Just now I checked out the Scheduled Task Wizard on W2K client. I believe I
> could do what you're suggesting ..(snip)
Hi
I was able to to this now on a WinXP client using WinXP built in command line
task scheduler "manipulator" SCHTASKS.exe and the psshutdown.exe utility from
the free PSTools suite found at http://www.sysinternals.com.
This will create a scheduled task running with the credentials of the local
Administrator (with password xxx in the example) that logs the *console* user
off after 16,65 hours inactivity (999 minutes is the max value):
SCHTASKS.exe /Create /RU "%COMPUTERNAME%\Administrator" /RP xxx
/SC ONIDLE /I 999 /TN "IdleLogoff" /TR "C:\psshutdown.exe -o -f"
Note that the way this configures the task scheduler, if you set it to reboot
the computer it will reboot the computer even if nobody is logged in (when the
computer is idle at the logon screen). Logoff or shutdown/poweroff will be a
better choice I think.
Note that you can use SCHTASKS.exe to configure a scheduled task on a remote
computer (if that will work against a Win2k computer I do not know). Run
SCHTASKS /? in a command prompt for more help.
I was not able to use WinXP's shutdown.exe utility, it looks like it is not able
to log off another user than the one user that is defined as the "task" user.
However, Sysinternals's psshutdown utility was able to do this. I also tried to
use /RU "NT AUTHORITY\SYSTEM" instead of using the Administrator user, but I
could not get the scheduled task to run psshutdown.exe then.
For Win2k, it may be that JT.EXE is able to create a scheduled task like
SCHTASKS.exe is for WinXP:
http://www.jsiinc.com/SUBF/TIP2600/rh2621.htm
ftp://ftp.microsoft.com/reskit/win2000/jt.zip
Patrick J. LoPresti
The Win32_Desktop WMI class has a "ScreenSaverActive" property. You
can use WMI events to monitor the state of that property.
Roughly... You would use ExecNotificationQuery with a query string
like "SELECT * FROM __InstanceModificationEvent WHERE TargetInstance
ISA 'Win32_Desktop'". The result of that query would be an
SWbemEventSource on which you would repeatedly call NextEvent with a
timeout.
That call, in turn, would either time out or give you an
__InstanceModificationEvent (whose TargetInstance is a Win32_Desktop).
Thus, you have a loop which you can use to keep track of the screen
saver state, waking up if that state does not change for a while. You
just need to combine this with a mechanism for logging off the current
user.
This idea needs some refinement; e.g., to make the WQL query apply
only to the Win32_Desktop of the current user. But I believe the
basic idea is sound.
- Pat
http://unattended.sourceforge.net/
Harry Paratestes
Thanks again!
1) Trying to find the JT.exe tool in the W2K ResKit, but no luck. Unable
to download for some reason from MS site (FTP down?)
2) LOGOFF.exe is another W2K ResKit tool. Using your command line code,
I'd replace the Sysinternals tool with LOGOFFexe.
3) I gotta pack up for business trip, fly out tonight. Will monitor this
NG when I get to destination.
Here's a hack to make SCHTASKS.exe run on Windows 2000:
http://www.jsifaq.com/SUBK/tip5300/rh5335.htm
HP sends
----- Original Message -----
From: "Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com>
Newsgroups:
microsoft.public.security,microsoft.public.security.toolkit,microsoft.public
.win2000.security,microsoft.public.windows.server.security,microsoft.public.
windowsxp.security_admin,microsoft.public.win2000.general,microsoft.public.w
in2000.termserv.clients
Sent: Saturday, November 15, 2003 4:38 PM
Subject: Re: Force Logoff if Inactive
:
: Hi
:
:
:
>"Harry Paratestes" <har...@newz-grp-reader.com> wrote in message news:...
> Thanks for feedback.
>
> Just now I checked out the Scheduled Task Wizard on W2K client. I believe
I
> could do what you're suggesting, but the missing piece to the puzzle is
the
> 'inactivity timer'. Did a little more research on this and it dawned on
me
> that there MUST be an internal clock/process/service/daemon running on W2K
> that determines inactivity. No surprise here, screensaver and Power
Scheme
> functions [Control Panel/Power Options] obviously are triggered by some
> keypad or mouse activity timer. Terminal services on W2K Server has
> inactivity function too (bounces users if not activitely using TS).
>
> If anyone has insight on the process/service/daemon that determines
keyboard
> and/or mouse inactivity on W2K and how to exploit it, any guidance or
points
> will be much appreciated.
>
> HP sends
>
>
> "Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
> news:3FB68D9C...@hydro.com...
> > Harry Paratestes wrote:
> > Hi
> >
> > You can't do this detection from the DC, it will have no idea about if
the
> > workstations are idle or not, you need to do this on the local computer.
> >
> > I don't know of any way with a script to determine idle time, but the
> solution
> > Steve suggested should work, creating a Scheduled Tasks on every
computer
> that
> > kicks in after x minutes of idle time and runs a logoff script/program.
> >
> >
> > --
> > torgeir
> > Microsoft MVP Scripting and WMI, Porsgrunn Norway
> > Administration scripting examples and an ONLINE version of the 1328 page
> > Scripting Guide: http://www.microsoft.com/technet/scriptcenter
> >
> >
> >
> >
> >
> > after a certain period of idle time - up to 999 minutes though I don't
> know
> > of a good way offhand to implement it on a large number of
Harry Paratestes
Patrick,
Thanks for your insight. I'm not a programmer/scripter by trade, but will
definitely do the research to see if I make this work as you described.
Gotta pack the suitcase for a red-eye flight. Will monitor this NG
tomorrow.
Thanks again,
HP sends
"Patrick J. LoPresti" <pa...@users.sourceforge.net> wrote in message
news:s5gwua1c8ao.fsf@patl=users.sf.net...
: --
: torgeir
: Microsoft MVP Scripting and WMI, Porsgrunn Norway
: Administration scripting examples and an ONLINE version of the 1328 page
: Scripting Guide: http://www.microsoft.com/technet/scriptcenter
:
:
:
>"Harry Paratestes" <har...@newz-grp-reader.com> wrote in message news:...
> Thanks for feedback.
>
> Just now I checked out the Scheduled Task Wizard on W2K client. I believe
I
> could do what you're suggesting, but the missing piece to the puzzle is
the
> 'inactivity timer'. Did a little more research on this and it dawned on
me
> that there MUST be an internal clock/process/service/daemon running on W2K
> that determines inactivity. No surprise here, screensaver and Power
Scheme
> functions [Control Panel/Power Options] obviously are triggered by some
> keypad or mouse activity timer. Terminal services on W2K Server has
> inactivity function too (bounces users if not activitely using TS).
>
> If anyone has insight on the process/service/daemon that determines
keyboard
> and/or mouse inactivity on W2K and how to exploit it, any guidance or
points
> will be much appreciated.
>
> HP sends
>
>
name
Who are you ? Kennedy ?
"Harry Paratestes" <har...@newz-grp-reader.com> wrote in message
news:eoJ84r$qDHA...@TK2MSFTNGP12.phx.gbl...
Harry Paratestes
No.
You are replying to many usenet, and you're nosey.
Who are you? J. Edgar Hoover, or LBJ?
"name" <nos...@user.com> wrote in message
news:%23u5V0ia...@TK2MSFTNGP10.phx.gbl...
Al Dunbar [MS-MVP]
rails. Now I am coming to the conclusion that nobody could post like that if
it was complete nonsense, so it must be me who is clueless here.
/Al
"Harry Paratestes" <anon...@discussions.microsoft.com> wrote in message
news:%23q$ApMdrD...@TK2MSFTNGP10.phx.gbl...
David Reed
I have exactly the same situation as you, and would like to know if you have
made any progress in your search for a solution.
What say you?
Re-Egads,
David
"Harry Paratestes" <har...@newz-grp-reader.com> wrote in message
news:eoJ84r$qDHA...@TK2MSFTNGP12.phx.gbl...