If you deal with computers at reception desks, in call centers, or in lab environments where users log in and never log off, computers can get really slow because of the applications left running by idle users. In this article, I’ll show you how you can force those users to automatically log out with a few settings in Group Policy.

Shared computer systems in areas such as reception desks, computer labs, and call centers can be brought to their knees very quickly if users lock the workstation and walk away when their shift ends. The next person sits down, clicks Switch User, logs in, and repeats the process all over. After enough users, there are enough random applications running in the background to slow the system to a crawl. So, how do you log off the idle sessions? Actually, it’s pretty easy with a free utility and a little Group Policy!

Non-recommended solutions

Before we get started, I’d like to address two of the ways I’ve seen suggested as a way to handle logging off idle user sessions. One solution that used to be popular is the winexit.scr screensaver included in the Windows NT Server 4.0 Resource Kit. A systems administrator can set the workstation’s screensaver to winexit.scr, and the user would be logged off when the screensaver activated.

This solution doesn’t take into account newer operating systems that include Fast User Switching. It also requires you to lengthen your screensaver activation time so you don’t accidentally log off a user who has gone on a break or lunch period. And, last but not least, getting this old utility to work correctly on newer OSs is just a pain. Do you really want to run something this old on your network if you don’t have to? Another is a Group Policy setting that a lot of people point to as a solution to this problem. The setting is located in Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits > Set time limit for disconnected sessions.

“Set time limit for disconnected sessions” policy (for RDS sessions only)

“Set time limit for disconnected sessions” policy (for RDS sessions only)

I’ve seen this setting recommended—a LOT—as a solution for logging off idle users. You can use it for logging off idle users on Remote Desktop Services (RDS, formerly Terminal Services). This session doesn’t work for physical computers that people are using at the console.

Computer-side Group Policy settings

To set up our solution, we’ll need to create a new Group Policy Object (GPO) in the Group Policy Management Console (GPMC). For multiuser computers, I usually like to create a new sub-Organizational Unit (OU) inside the original OU that contains all the other non-multiuser computers. This lets the multiuser computers get the same Group Policy as all of the other computers without forcing the “idle logoff” on every single computer.

Create a new GPO in the Group Policy Management Console

Create new GPO in the Group Policy Management Console

Next, we’ll need to right-click the new GPO and choose Edit. Once you’re in the Group Policy Management Editor, you’ll need to go to Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode. Enable the policy and set it to Merge. This will let us apply a user-side policy to computer objects in Active Directory. (I’ve written articles on loopback processing in Group Policy and common usage scenarios if you’d like more information.)

Configure user Group Policy loopback processing mode to Merge

Configure user Group Policy loopback processing mode to Merge

Next, we’ll need to copy a small utility to the multiuser computers. Go and download idlelogoff.exe.

UPDATE: We removed the link to the website that hosts idlelogoff.exe is because the site is infected with malware. See comments below.

For demo purposes in this article, I’m going to put my copy into Active Directory’s Sysvol folder. For a production environment, you’ll probably want to do this from a file share. Just make sure that domain computers have at least read-only access to both the share and the file system.

 IdleLogoff executable in the Sysvol folder

IdleLogoff executable in the Sysvol folder

Go back to your GPO and go to Computer Configuration > Preferences > Windows Settings > Files. Right-click Files and choose New > File. In the Source File(s) section, select the IdleLogoff.exe that we put into \\domain.local\sysvol\domain.local\files\IdleLogoff\IdleLogoff.exe. Set the Destination File value to C:\Program Files\IdleLogoff\IdleLogoff.exe.

New File Properties to copy IdleLogoff.exe to computers

New File Properties to copy IdleLogoff.exe to computers

User-side Group Policy settings

Next, we’ll need to set our user-side Group Policy settings. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff). Double-click Logon on the right side of the window.

Logon and Logoff Scripts in the Group Policy Management Editor

Logon/Logoff scripts in the Group Policy Management Editor

Click the Show Files button to open a new window where you can place the Logon script we’ll use.

Create a new batch file for a Logon script

Create a new batch file for a Logon script

Create a new text file named IdleLogoff.bat in the folder, with the following text:

Echo off
"c:\Program Files\IdleLogoff\IdleLogoff.exe" 1800 logoff

IdleLogoff.bat example

IdleLogoff.bat example

The IdleLogoff.exe utility takes two arguments. The first argument is the time, in seconds, before taking action. In this case, I’m using 1800, which translates to 30 minutes. The second argument is the action to take. The valid actions are logoff, lock, restart, and shutdown. We want to log off idle sessions, so I’m using logoff.

Last, we need to add the Logon script to the GPO. Click the Add button on the Logon Properties window, then click the Browse button on the Add a Script window, select the script (IdleLogoff.bat), and click Open. This will take you back to the Add a Script window where you can click OK. The Logon script will show up on the Logon Properties window; click OK.

Adding the Logon script to the Group Policy Object

Adding the Logon script to the Group Policy Object

Testing on the client

On a test client, I’m going to run a manual Group Policy update by running gpupdate.exe at a command prompt just to ensure the system gets the settings in the GPO. Next, I’m going to go to C:\Program Files\IdleLogoff\ and make sure that IdleLogoff.exe is copied to the computer.

IdleLogoff.exe copied to a Windows 8.1 client

IdleLogoff.exe copied to a Windows 8.1 client

Next, we can run Task Manager and see that the IdleLogoff.exe executable is running in the background in the user’s session.

IdleLogoff.exe running on Windows 7

IdleLogoff.exe running on Windows 7

IdleLogoff.exe running on Windows 8.1

IdleLogoff.exe running on Windows 8.1


A word of warning about Windows 8: Windows 8 includes a number of changes to make the system startup and user logon process faster. One of these changes is to delay the running of logon scripts for five minutes, by default, to make the logon process faster for the end user. Keep this in mind when deploying this solution to computers. You can change this setting in Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure Logon Script Delay.

Configure Logon Script Delay policy

Configure Logon Script Delay policy

You might also ask, “If I can see the process, won’t the user be able to see the process?” The short answer here is, yes. The user will be able to run the Task Manager and see this process running in his/her list of processes and can stop it from running. I’ve found that 99 percent of my users logging into a workstation with this configured never know it is there. You can do things like try to hide the process from Task Manager or even rename the file to something like “explorer.exe.”

The only problem with those solutions is that those are the same things malware can do to a system. And, you probably don’t want to implement a solution that looks a lot like malware, or you run the risk of your antivirus/antimalware kicking in and killing it. You can disable the Task Manager by going to User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > Remote Task Manager. Set the policy to Enabled and click OK.

Disable the Task Manager with the Remove Task Manager policy

Disable the Task Manager with the Remove Task Manager policy

Lastly, communicate this new policy to people who may be impacted by the change. Some reception desk computers may need the idle logoff time set anywhere from 45 to 90 minutes so the primary user isn’t kicked out of his/her session while on a lunch break. Other locations, such as computer labs, may need it set to something lower—maybe 15 to 20 minutes. If you have any thoughts on how long it should take, we’d love to hear them in the comments!

  1. Avatar
    Brad 6 years ago

    The website where idlelogoff.exe resides is flagged as malware

    Block Type: security

    Bundle ID: 795565

    Domain Tagging: 0x60000000039F0000080000080001

    Host: malware.opendns.com

    Origin ID: 105329101 Prefs5783616


    Time2018-01-25 16:56:06.397254878 +0000 UTC m=+158367.417310430

  2. Avatar
    John 6 years ago

    I cannot download the tool ! it flagged as Trojan.
    Endpoint Security 10 for Windows

    The requested web address cannot be provided

    Object web address:



    object is infected by HEUR:Trojan.Script.Generic

    Message generated on: 2/8/2018 12:56:18 PM

    • Avatar

      The term “HEUR” in the reason seems to indicate that this assessment was based on a heuristics and not an analysis of a researcher. Those heuristics of AV programs are very unreliable.

      If someone can give something more concrete, we are going to remove the link.

      • Avatar

        Here another error by Symantec Enpoint Protection :

        [SID: 30610] Web Attack: JSCoinminer Download 34 attack blocked. Traffic has been blocked for this application…


        • Avatar

          More info  :

          Web Attack: JSCoinminer Download 34

          Severity: Medium
          This attack could pose a moderate security threat. It does not require immediate action.

          This signature detects suspicious activities associated with JScoinminer

          Additional Information
          JScoinminer is a detection for a JavaScript cryptocurrency miner that runs in web browsers. The javascript coin miner consumes enormous CPU resources, making computer use sluggish. The JavaScript is loaded in the browser when the user visits a web page hosting the JavaScript. If you haven’t opened the detected website on your own, you are possibly redirected to the detected website via redirection mechanisms like malicious advertisement or a compromised website hosting an iframe or JavaScript which redirects to the detected website. The JavaScript runs as long as the user stays on the web page. As long as the website being visited is injected with the coin mining javascript, the website will be blocked by this signature. The computer system is not actually “infected” when this detection triggers.

          Link : https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30610

          • Avatar

            Paolo, thanks a lot! There is indeed malware on the site that hosts idlelogoff.exe. My CPU goes crazy when I open the page. I added a note in the article and removed the link.

  3. Avatar
    Claudio Mendes 6 years ago


    Any idea why i get a open file security warning the publisher could not be verified are you sure you want to run this software? The file doesn’t have a valid signature…

    It is actually a batch file set in the domain gpo local machine scripts startup so trying to run it from unc sysvol…

    Perhaps im missing something related to rights somewhere or some other gpo stuff remaining to be checked like granting that file to be safe?

    windows 1607

    thanks for helping me out

  4. Avatar
    Finalfant111 6 years ago

    This seems really long and concluded solution for what you want. Why not just set a task scheduler to restart the computer once a day?

    • Avatar
      Bill 6 years ago

      Better yet, create a task to run when user is logged in every hour or so, but only when the computer has been idle for an hour.  Run “shutdown /l”

  5. Avatar
    Matt Trimble 6 years ago

    Dropping the batch file in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” instead of using group policy works also

  6. Avatar
    Pierre Voortman 5 years ago

    This can be done with a scheduled task, which can be pushed to computers by GPO, so you don’t need the external application idlelogoff.exe


  7. Avatar
    Christopher Kashabech 5 years ago

    The easiest way is to run task scheduler and configure it to run “shutdown /l” on idle time. I had to use it long time ago and now I checked in Windows 10 and still can be done.

  8. Avatar
    Ghaith Mohammed 5 years ago

    Thanks for this article, this GPO will kill the session after X of minutes that you define in the batch file, it doesn’t matter if the session is ON or IDLE. I tried it on an active session and it logoff the user after X amount of minutes.


  9. Avatar
    Mohammad Reza 5 years ago


    how can get the EXE file as you show in the article ( idlelogoff.exe ) ?

  10. Avatar
    Brad B 4 years ago

    I have a valid copy of idlelogoff.exe from before the hosting website became impacted by malware.  I had idlelogoff.exe working on a computer that was not part of a domain using simple .bat files in each users startup.  I've now put that computer into a domain that broke it.

    In trying to implement the GPO solution on a Windows 10 PC in a Windows Server 2016 Essentials server, something seems to be missing. 

    The GPO is tied to a specific computer group and I can "gpresult /Scope Computer /v" on one of those computers to see that the GPO is applied.  However, "Logon scripts" is not part of the results.

    When I "gpresult /Scope User /v" it doesn't show the GPO applied – this make sense because I don't want it applied to Users, it needs to apply to specific computers. So this seems correct.  But when I look at the "Logon Scripts" section of gpresult, it says N/A.

    So it seems to be correctly applied to the computer group but the computer group policy doesn't apply a user logon script.  I cannot really tell.  I've double checked all the settings follow this guide.

    I can only assume that something changed in GPO or Windows Server OUs from when this article was written to now.  Is there an updated version of this for Windows 10 and Windows Server 2016 Essentials?


  11. Avatar
    Regnar Lyngso 3 years ago

    Get the idlelogoff.exe here: http://www.intelliadmin.com/index.php/downloads/


  12. Avatar
    Michael 3 years ago

    Will these steps work on a computer that is not in a domain? I help a small business that has a couple computers in a workgroup. I did the user side group policy settings and it didn’t seem to work.

  13. Avatar
    Jim Dunn 3 years ago

    Better to just use the "shudown.exe /l" instead.

  14. Avatar
    Rob 1 year ago

    Found this for people looking for a replacement. https://github.com/lithnet/idle-logoff/wiki

  15. Avatar
    Lewis Hurst 3 months ago

    instead of using the program that’s 3rd party and marked heuristically as a virus, there’s probably a powershell command to log a user off.

  16. Avatar
    Rob 3 months ago

    The requirements to log off users after a specific amount of time idle, deployed across a domain with managed parameters would take a while to script and troubleshoot. Alternatively, you can use LithNet Idle-Logoff which is open source, configurable in Group Policy and easily deployed. I’ve been using it for a year now at a 24×7 facility without issue.
    “Probably a powershell command” did occur to us.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account