Automatic Logout for Windows 7 Using Group Policy
For work, I needed to design and implement a real-world policy for maintenance in the digital world of an Active Directory domain. Though this domain has mixed computers of Linux, Apple and Microsoft OS's, the only Microsoft ones were Windows 2008 R2 servers and Windows 7. Oh, some posts about the integration of all those OS's is a good idea.
The basic policy encompassed more, but I did a lot of searching around the Interwebs for a solution for automatically logging out active users. If one doesn't do this, sadly their profiles (Windows roaming profiles) tend to get corrupted. Though I got lots of hints, but nothing that explained things completely. So through a whole bunch of trial and error, I've come up with this blog post. Hopefully others don't have to go through the "if you knew everything already it'd be easy" way that Microsoft does documentation. Sorry, I can't do at least one jab. :-)
For for those who are the self-educating folks out there, read below for some "gotchas" and hints. Learn beyond rote is the only way...
Hint #1: To force replication to all Domain Controllers, use "Active Directory Sites and Services", drill down to servers. If you pay attention to the GPM Editor, it tells you which DC you edited. Go to the others and "Replicate Now" from the server you edited.
Hint #2: Be careful what you name the tasks & choose for "Action" under "General". Don't just delete objects in the list of scheduled tasks. Change action to "Delete" and once you're sure its removed from all users then delete the actual object.
Hint #3: We have a lot of students who don't shutdown or logout of laptops, and teachers that don't double check. At least they plug them back into the cart to keep them charged. To keep them from being on overnight, turn off sleep/hibernation on closing the lid.
Gotcha #1: This policy must be a "User Configuration". Even though when adding the same config to "Computer Configuration", GPM Editor gives the default "%LogonDomain%\%LogonUser%", it comes up as blank, "BUILTIN\BUILTIN" or possibly the computer account when rolled out. Also, the task tries to run and you get "error value 2147943645". Usually this means no permission to run, so its sorta accurate. Either way, don't be fooled into think you can apply this to a computer for all users logging into the computer.
Gotcha #2: The shutdown command does not state this, but I was never able to get the /l option to work with the /t option.
The basic policy encompassed more, but I did a lot of searching around the Interwebs for a solution for automatically logging out active users. If one doesn't do this, sadly their profiles (Windows roaming profiles) tend to get corrupted. Though I got lots of hints, but nothing that explained things completely. So through a whole bunch of trial and error, I've come up with this blog post. Hopefully others don't have to go through the "if you knew everything already it'd be easy" way that Microsoft does documentation. Sorry, I can't do at least one jab. :-)
For for those who are the self-educating folks out there, read below for some "gotchas" and hints. Learn beyond rote is the only way...
- Goto to a Domain Controller.
- With "Active Directory Users and Computers", create/determine a group to whom automatic logout should be applied. E.g. "POL-ForcedLogout"
- With "Group Policy Management", create/determine the policy to house this configuration.
- Right click on policy & edit.
- Goto User Configuration, Preferences, Control Panel Settings, Scheduled Tasks.
- Create one scheduled task if all warnings to user are the same. We do same message at 60/30/15/5 minutes.
- Be sure to check "Run with highest privileges".
- Be sure to select proper "Configure for:", hint #0 - use item level targeting if you have mixed OS types; either on the task or the policy.
- Trigger tab: create one trigger for each warning.
- Action tab: create "Display a message" action.
- Click OK to complete.
- Create one scheduled task for the actual logoff command.
- Again, be sure to check "Run with highest privileges".
- Again, be sure to select proper "Configure for:". Hint #0 - use item level targeting if you have mixed OS types; either on the task or the policy.
- Trigger tab: create one trigger for time to logoff.
- Action tab: create "Start a program" action.
- Program/script: %systemroot%\system32\shutdown
- Add arguments: /l
- Click OK to complete.
- Close GPM Editor & GPM.
Hint #1: To force replication to all Domain Controllers, use "Active Directory Sites and Services", drill down to servers. If you pay attention to the GPM Editor, it tells you which DC you edited. Go to the others and "Replicate Now" from the server you edited.
Hint #2: Be careful what you name the tasks & choose for "Action" under "General". Don't just delete objects in the list of scheduled tasks. Change action to "Delete" and once you're sure its removed from all users then delete the actual object.
Hint #3: We have a lot of students who don't shutdown or logout of laptops, and teachers that don't double check. At least they plug them back into the cart to keep them charged. To keep them from being on overnight, turn off sleep/hibernation on closing the lid.
Gotcha #1: This policy must be a "User Configuration". Even though when adding the same config to "Computer Configuration", GPM Editor gives the default "%LogonDomain%\%LogonUser%", it comes up as blank, "BUILTIN\BUILTIN" or possibly the computer account when rolled out. Also, the task tries to run and you get "error value 2147943645". Usually this means no permission to run, so its sorta accurate. Either way, don't be fooled into think you can apply this to a computer for all users logging into the computer.
Gotcha #2: The shutdown command does not state this, but I was never able to get the /l option to work with the /t option.
Comments
Post a Comment