Force logoff when logon hours expire

I set logon hrs for all my domain customers. Now I want to pressure logoff once they expire.

You watching: Force logoff when logon hours expire

I have actually a couple of concerns though:

In the policy it clintends it must be characterized in the default domain policy. Is this the case? I did not desire it to use to everyone. I recognize I deserve to fiddle through restrictions and stuff but Id choose to just make a brand-new policy and apply it at the OU.Will this log the user off if their display is locked?
*

The assist desk software application for IT. Free.

Track users" IT needs, quickly, and also through only the features you require.


*

bitlocker

I do not think it nessesarily has to be in the Default Domain Policy however I think it has to be applied at Domain level not OU. Like password plans.

If you do not desire to apply to everyone, create a brand-new GPO, use it at Domain level, then create a team of denied specific logon hrs, then deny Apply Group Policy to that team on the ACL (Delegation) of the GPO.

Yes, it will certainly log them off if the screen is locked, successfully anymethod, it"ll just block SMB, yet they"ll still have to actually "logoff".

Edited Mar 26, 2015 at 13:46 UTC
1
· · ·
*

Mace
OP
cduff Mar 26, 2015 at 13:33 UTC

Tbelow is no GPO that will log users off workstations as soon as logon hours expire. Tbelow is one that will certainly disconnect network relationships to smb servers. The establishing is unhelpcompletely called to be certain. If it claims it demands to be in the DDP, I"d trust that.


1
· · ·
*

Ghold Chili
OP
Kelly Armitage Mar 26, 2015 at 13:36 UTC

cduff wrote:

There is no GPO that will certainly log individuals off workstations once logon hrs expire. Tbelow is one that will certainly disaffix network relationships to smb servers.

This is correct.

There *IS* a plan which says "pressure logoff when logon hrs expire" or some such misleading wording, however it will certainly carry out no such point. The user will certainly still have actually full use of the PC, through the exemption of netoccupational resources (shares / printers etc)

They will not be logged off. (at least not making use of that policy)


2
· · ·
Datil
OP
Theborgman77
This person is a verified professional.
Verify your account to permit IT peers to check out that you are a skilled.
Mar 26, 2015 at 13:45 UTC

Selfexamine is an IT business provider.


You can constantly limit the application of a GPO via delegation in the GPO.


0
· · ·
Tabasco
OP
Jeremy Flynn
This person is a proved expert.
Verify your account to permit IT peers to watch that you are a experienced.
Mar 26, 2015 at 13:50 UTC

Well is tright here any type of method to perform this? My customers never log out.

See more: Unable To Click On Anything Windows 10, Windows 10 Can'T Click Anything

My shutdvery own plan is not functioning once they are logged in. Offline records carry out not sync properly if they are not loggin in and out either.


0
· · ·
Mace
OP
cduff Mar 26, 2015 at 13:53 UTC

You can try to set them up a reserved task with the following offered you aren"t married to the principle of having it run in sync with the login hrs. You can set it up with Group Policy Preferrals and you have actually really excellent granular control of how it applies. Different times and also schedules for different groups/comptuers/whatever before. I do not recognize how it"ll work if their work-related station is locked or if they can cancel it. Just need to run a couple of tests.


Batchfile

shutdown /l /f /t 0
1
· · ·
Mace
OP
cduff Mar 26, 2015 at 13:57 UTC
 Jeremy Flynn wrote:

Well is tbelow any kind of method to do this? My customers never before log out.

My shutdown policy is not functioning once they are logged in. Offline files execute not sync correctly if they are not loggin in and also out either.

Also, if you had actually used that one plan, it can mess via offiline files" capability to sync exterior of their logon hrs, being that offline records is over smb.
0
· · ·
Gorganize Chili
OP
Kelly Armitage Mar 26, 2015 at 14:02 UTC

cduff wrote:

You might attempt to collection them up a scheduled task via the following gave you aren"t married to the principle of having actually it run in sync with the login hours. You deserve to set it up with Group Policy Preferrals and you have really good granular manage of how it applies. Different times and schedules for various groups/comptuers/whatever before. I do not understand just how it"ll work if their work-related terminal is locked or if they have the right to cancel it. Just need to run a pair of tests.


Batchfile

shutdvery own /l /f /t 0
They have the right to be aborted.....yet they"d need to run a command also prompt and also type shutdvery own /a (and it might just apply to shutdowns not logoffs). Either method through a t 0 establishing, they"d never have time to perform that.


1
· · ·
Ghost Chili
OP
Kelly Armitage Mar 26, 2015 at 14:03 UTC

If you do usage the shutdvery own command also, I think I"d go via a rebegin instead of simply a logoff. If you are risking them shedding unsaved work, you might as well reboot the PC while you"re at it.


0
· · ·
Tabasco
OP
Jeremy Flynn
This person is a showed professional.
Verify your account to enable IT peers to view that you are a professional.
Mar 26, 2015 at 16:37 UTC

Ok below is the problem. I have actually my shutdvery own utilizing powershell manuscript pointed at a list of PCs. I actually originally wanted to usage booked tasks however they will not work-related.

For example I simply tried(again) to make the log off scheduled job. I created a test OU and a test User. I configured a user policy for the scheduled job.

The create is a reserved time(8:00 PM). 

The activity is %systemroot%logoff.exe

The user is %domain%\%user%

It is collection to run once they are logged in

Item lvl targeting -> my test user

----------------

The job does not present up on the computer. GPresult shows it applied, but. This is the same trouble I had actually through my shutdown reserved task.

If I manually run the job nothing happens on the client pc. So then I begin altering settings.

I tried NT AUTHORITY SYSTEM, Domain ADMIN, run when logged off or not. No matter what i never see the job. And HIDDEN is not checked.

See more: Next How To Change Winrar How To Change Language Setting Into English

I would certainly use the powershell manuscript that I currently have actually working for shutdvery own and replace via rebegin however the difficulty is that doesnt job-related unless they are logged off. Unmuch less tright here is a way to pressure it...