If you deal with computers at reception desks, in call centers, or in lab environments where users log in and never log off, computers can get really slow because of the applications left running by idle users. In this article, I’ll show you how you can force those users to automatically log out with a few settings in Group Policy.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Shared computer systems in areas such as reception desks, computer labs, and call centers can be brought to their knees very quickly if users lock the workstation and walk away when their shift ends. The next person sits down, clicks Switch User, logs in, and repeats the process all over. After enough users, there are enough random applications running in the background to slow the system to a crawl. So, how do you log off the idle sessions? Actually, it’s pretty easy with a free utility and a little Group Policy!

Non-recommended solutions ^

Before we get started, I’d like to address two of the ways I’ve seen suggested as a way to handle logging off idle user sessions. One solution that used to be popular is the winexit.scr screensaver included in the Windows NT Server 4.0 Resource Kit. A systems administrator can set the workstation’s screensaver to winexit.scr, and the user would be logged off when the screensaver activated.

This solution doesn’t take into account newer operating systems that include Fast User Switching. It also requires you to lengthen your screensaver activation time so you don’t accidentally log off a user who has gone on a break or lunch period. And, last but not least, getting this old utility to work correctly on newer OSs is just a pain. Do you really want to run something this old on your network if you don’t have to? Another is a Group Policy setting that a lot of people point to as a solution to this problem. The setting is located in Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits > Set time limit for disconnected sessions.

“Set time limit for disconnected sessions” policy (for RDS sessions only)

“Set time limit for disconnected sessions” policy (for RDS sessions only)

I’ve seen this setting recommended—a LOT—as a solution for logging off idle users. You can use it for logging off idle users on Remote Desktop Services (RDS, formerly Terminal Services). This session doesn’t work for physical computers that people are using at the console.

Computer-side Group Policy settings ^

To set up our solution, we’ll need to create a new Group Policy Object (GPO) in the Group Policy Management Console (GPMC). For multiuser computers, I usually like to create a new sub-Organizational Unit (OU) inside the original OU that contains all the other non-multiuser computers. This lets the multiuser computers get the same Group Policy as all of the other computers without forcing the “idle logoff” on every single computer.

Create a new GPO in the Group Policy Management Console

Create new GPO in the Group Policy Management Console

Next, we’ll need to right-click the new GPO and choose Edit. Once you’re in the Group Policy Management Editor, you’ll need to go to Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode. Enable the policy and set it to Merge. This will let us apply a user-side policy to computer objects in Active Directory. (I’ve written articles on loopback processing in Group Policy and common usage scenarios if you’d like more information.)

Configure user Group Policy loopback processing mode to Merge

Configure user Group Policy loopback processing mode to Merge

Next, we’ll need to copy a small utility to the multiuser computers. Go and download idlelogoff.exe. For demo purposes in this article, I’m going to put my copy into Active Directory’s Sysvol folder. For a production environment, you’ll probably want to do this from a file share. Just make sure that domain computers have at least read-only access to both the share and the file system.

 IdleLogoff executable in the Sysvol folder

IdleLogoff executable in the Sysvol folder

Go back to your GPO and go to Computer Configuration > Preferences > Windows Settings > Files. Right-click Files and choose New > File. In the Source File(s) section, select the IdleLogoff.exe that we put into \\domain.local\sysvol\domain.local\files\IdleLogoff\IdleLogoff.exe. Set the Destination File value to C:\Program Files\IdleLogoff\IdleLogoff.exe.

New File Properties to copy IdleLogoff.exe to computers

New File Properties to copy IdleLogoff.exe to computers

User-side Group Policy settings ^

Next, we’ll need to set our user-side Group Policy settings. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff). Double-click Logon on the right side of the window.

Logon and Logoff Scripts in the Group Policy Management Editor

Logon/Logoff scripts in the Group Policy Management Editor

Click the Show Files button to open a new window where you can place the Logon script we’ll use.

Create a new batch file for a Logon script

Create a new batch file for a Logon script

Create a new text file named IdleLogoff.bat in the folder, with the following text:

IdleLogoff.bat example

IdleLogoff.bat example

The IdleLogoff.exe utility takes two arguments. The first argument is the time, in seconds, before taking action. In this case, I’m using 1800, which translates to 30 minutes. The second argument is the action to take. The valid actions are logoff, lock, restart, and shutdown. We want to log off idle sessions, so I’m using logoff.

Last, we need to add the Logon script to the GPO. Click the Add button on the Logon Properties window, then click the Browse button on the Add a Script window, select the script (IdleLogoff.bat), and click Open. This will take you back to the Add a Script window where you can click OK. The Logon script will show up on the Logon Properties window; click OK.

Adding the Logon script to the Group Policy Object

Adding the Logon script to the Group Policy Object

Testing on the client ^

On a test client, I’m going to run a manual Group Policy update by running gpupdate.exe at a command prompt just to ensure the system gets the settings in the GPO. Next, I’m going to go to C:\Program Files\IdleLogoff\ and make sure that IdleLogoff.exe is copied to the computer.

IdleLogoff.exe copied to a Windows 8.1 client

IdleLogoff.exe copied to a Windows 8.1 client

Next, we can run Task Manager and see that the IdleLogoff.exe executable is running in the background in the user’s session.

IdleLogoff.exe running on Windows 7

IdleLogoff.exe running on Windows 7

IdleLogoff.exe running on Windows 8.1

IdleLogoff.exe running on Windows 8.1

Gotchas ^

A word of warning about Windows 8: Windows 8 includes a number of changes to make the system startup and user logon process faster. One of these changes is to delay the running of logon scripts for five minutes, by default, to make the logon process faster for the end user. Keep this in mind when deploying this solution to computers. You can change this setting in Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure Logon Script Delay.

Configure Logon Script Delay policy

Configure Logon Script Delay policy

You might also ask, “If I can see the process, won’t the user be able to see the process?” The short answer here is, yes. The user will be able to run the Task Manager and see this process running in his/her list of processes and can stop it from running. I’ve found that 99 percent of my users logging into a workstation with this configured never know it is there. You can do things like try to hide the process from Task Manager or even rename the file to something like “explorer.exe.”

The only problem with those solutions is that those are the same things malware can do to a system. And, you probably don’t want to implement a solution that looks a lot like malware, or you run the risk of your antivirus/antimalware kicking in and killing it. You can disable the Task Manager by going to User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > Remote Task Manager. Set the policy to Enabled and click OK.

Disable the Task Manager with the Remove Task Manager policy

Disable the Task Manager with the Remove Task Manager policy

Lastly, communicate this new policy to people who may be impacted by the change. Some reception desk computers may need the idle logoff time set anywhere from 45 to 90 minutes so the primary user isn’t kicked out of his/her session while on a lunch break. Other locations, such as computer labs, may need it set to something lower—maybe 15 to 20 minutes. If you have any thoughts on how long it should take, we’d love to hear them in the comments!

Win the monthly 4sysops member prize for IT pros

Share
4+

Users who have LIKED this post:

  • avatar

Related Posts

38 Comments
  1. Michel Roth 2 years ago

    Hi Kyle,

    Thanks for the article. You mention that "Windows 8 includes a number of changes to make the system startup and user logon process faster". Do you have any other specific examples other than the Login Script delay.

    Thanks,

    0

    • Author
      Kyle Beckman 2 years ago

      The Windows 8 shut down process is more like hibernation than a traditional shutdown allowing the OS to start faster. Windows 8 also caches Group Policy from the DC and processes those items needed during synchronous processing from that cache instead of the DC (also making things faster). My personal favorite improvement is that Group Policy Preferences Drive Mappings no longer require synchronous processing... meaning that a user doesn't have to log out and back in to get drive maps.

      0

  2. Michel Roth 2 years ago

    I see what you mean. Anything else that you know of that makes a user login explicitly faster? It seems hard to find information from Microsoft about that.

    0

    • Author
      Kyle Beckman 2 years ago

      I've listed the most significant changes, but I'm sure that there are others. There are quite a few posts on the TechNet and MSDN sites about most of the changes, but I'm sure there are still some that are either not explicitly published or don't have the specific details that it sounds like you're looking for.

      0

  3. Joseph Moody 2 years ago

    Good article Kyle! I have a few labs that could use this setup.

    Michael: Group Policy caching is another improvement that you may want to look into.

    0

  4. SJ 2 years ago

    I have a server 2012 and my clients are Windows7,I did it exact as you said but couldent see anything in the client?

    0

    • Author
      Kyle Beckman 2 years ago

      When you say you couldn't see anything on the client? What do you mean?

      0

  5. JS 2 years ago

    When I generate GPresult there is nothing about this group policy in it,aso I can not see Idleloggoff in task manager ,I have checked it with group policy modeling on server but nothing.

    0

    • Author
      Kyle Beckman 2 years ago

      If there's nothing about the Group Policy in gpresult, then it isn't applying to the computer and the user objects. Are your DC's replicating properly? Is your client correctly configured to point to AD DNS? Can the client system talk to the DC's? Is the computer in the OU where the GPO is linked? You've got some other issue if you're not seeing the policy applied to the client.

      0

  6. JS 2 years ago

    Thanks for your reply,
    I can ping DC as well so I think there is no problem with DNS,also checked the link and its OK.
    I have set a user policy and it works but I think there is a diffrence between user and computer policy!!

    0

  7. Kasun 2 years ago

    Great article works perfectly (Y)

    0

  8. Steven 2 years ago

    Thanks for sharing, the tool works great!

    I've implemented it a bit different in my environment though. I've edited the batch file and replaced "1800 logoff" with "%1 %2". This gives me the possibility to edit the parameters directly through GPM (via the Scripts group policy setting) instead of locating and editing the batch file.

    0

  9. Bart 2 years ago

    Good results with autologoff. Google it.. Does this and has many more options.. two step wait, lock, wait, logoff or hibernate or reboot or... delete temporary files at logoff etc. easy and quick.

    0

  10. amer 1 year ago

    Hi...plz can you give me a way to force users that are connected to a server to log off after a certain time from log in?how can i make this without lossing data or to save data automatically on the server befor forcing log off?what services shoud be installed on the server? Thank you in advanced...

    0

    • Author
      Kyle Beckman 1 year ago

      When you say log off from a server... it really depends on what kind of server you're talking about. Is this an RDS server that people are using Remote Desktop to access, a file server where people are connecting to file shares, or something else. As for preventing them from losing data, I don't know if there's a really good way to do that. Forcefully logging someone off is probably going to result in some form of data loss depending on which applications they are using.

      0

  11. Khaled 1 year ago

    dear

    thanks about your advice but i want ask you how we can make schedule time all computer logoff in the same time i want give my network daily specific time all computers logoff.

    regards

    Khaled Abdraboh

    1+

    • Author
      Kyle Beckman 1 year ago

      I'd be interested in hearing the logic behind doing this. I know in my organization there are people working all times of the day... booting them off their computers would be a problem. You could force a reboot on the systems, but I don't know a good way off the top of my head to reliably log off everyone unless you want to write something in PowerShell or use something 3rd party. Honestly, using the method described in this article should work just fine since it won't forcefully log anyone off until they're idle. Set it to something like 4 or 5hours and you should be fine.

      0

  12. Jared 1 year ago

    Has anybody had issues with the batch hanging at startup? Idlelogoff is running until I kill the console window. This is happening on my Windows 10 machines.

    1+

    • Author
      Kyle Beckman 1 year ago

      In all honesty, I haven't tested this setup in Windows 10. The environment I was working in at the time was all Windows 7.

      0

  13. Shane Stenhjem 1 year ago

    This is a needed tool for company that runs a program that an overnight process updates a DB, but if users forget to close out of the program the update fails. Only issue I am having is when I enable the Policy and log into my test machine I get black screen. Any ideas? Permissions.

    0

    • Author
      Kyle Beckman 1 year ago

      Does it log in eventually? The default timeout for logon scripts is 5 minutes... could be hanging if the permissions are wrong. If you remove the policy and check the Event Logs, you might find something. Another option would be to run a script server-side that kills the remote connections. It sounds like you've already got a process that is doing something... adding an extra step to disconnect everyone shouldn't be too difficult. If it is Microsoft SQL, you could throw it into single user mode, do your updates, and put it back into normal mode when the updates are done.

      0

      • Shane Stenhjem 1 year ago

        Thanks fro the Reply Kyle. Unfortunately it is not a SQL DB it is a FGDB and is supported by our GIS provider. I will look into your suggestions on disconnecting the users.

        0

    • jandro 7 months ago

      I have the same issue. Did you get it to work?

       

      0

    • Mark 1 week ago

      Apologies if the below is specified somewhere else in the article/comments, but admittedly I only skimmed the article looking for a specific piece of info, so please don't hate me, instead excuse me and pat me on the head...

      GPO must be applied to computers not users.  Settings in the computer section of a GPO (called Computer Node) only apply to computers, not users.  Reverse is true with User Node settings.  In cases where the policy has to be applied to SOME users, not ALL users logged into any given computer (in most cases a public or kiosk machine), you will want to investigate loopback processing, which is a whole 'nother process way beyond the space we have here.

      0

  14. Dipak 1 year ago

    Hello,

    Is there a way to logoff a "Disconnected" user.

    This can be any user logged on to Console or through RDP (Using Windows 7).

    I can simply logoff the user by using the Session ID but it is not consistent.

    THE RDS policy does not help when the user is logged on to console.

    0

  15. David 1 year ago

    thanks that was very helpful

    0

  16. Beew 1 year ago

    Only thing with this tool is it can not force a usersession to logoff or shutdown. When Word is open and the document has not been saved yet the logoff will not take place. Any ideas on this?

    0

  17. devdells 11 months ago

    Never able to get this working in Windows 10 clients. The setup matches and I know GP applies. But the copying down from a file share to the client never happens. I may try to put into sysvol instead to see if it will copy then.

    0

    • devdells 11 months ago

      Minor point, but in your example by using sysvol for containing the idlelogoff.exe file you avoid an issue with a file share. In my case, I finally realized that the domain computers needed READ permission to the share. Once I did that, the GP preference for the file did actually copy the file down to the client computer.

      In Task Manager I now see two instances of idlelogoff.exe running. Not quite sure why that is.

      1+

      • pcguy 7 months ago

        @devdells

        I believe the reason why it is running twice is that the 1 policy has computer and user policies.  Assuming you are applying this to your workstation and user OU's, it would run twice.

        Kyle, please correct me if I am wrong.  If I am correct, would you recommend separating the policies in to 2 separate ones, 1 for User and 1 for Computers?

        Thanks

        0

  18. Toan 6 months ago

    Hi Devdells,

    I have the same issue when you first experienced with the file on network shared folder.  Group policy showed applied, but the actual file IdleLogoff.exe not installed because with the error code "0x80070003 The system can not find the path specified"  Domain Computers have Full permission to the shared folder.

    Please advice,

    Thanks.

     

    1+

  19. Leonard 4 months ago

    I work in a call center environment and our client needs screenshots showing proof the user is logged off automatically. Do you know know of I way I could get proof this is working?

    0

  20. Nitin Pandey 3 months ago

    Hi Kyle,

    Thanks for the utility. I'm planning to implement this in one of the environment. If you can help me with a bit of following clarification:

    1. Instead of C:\Program Files\IdleLogoff\ can I place the exe directly in System32?
    2. Is there a way to implement this Group Policy on a User Security Group, targeting only specific users?

    Thanks, much appreciated.

    1+

    Users who have LIKED this comment:

    • avatar
  21. @Braino 3 months ago

    Hi Kyle,

    Great article and great interaction with those who have commented.  Your 2nd "non-recommended" solution (the Set time limit for disconnected sessions GPO setting) works for me as I needed this for a VDI environment in which everyone connects to VDI desktops remotely.

    My only comment is the first and 2nd "non-recommended" solutions are sort-of merged together in one paragraph. I would think you'd want a paragraph break between them so they are easier to separate.

    Anyway, thanks for posting this - very thorough and very helpful!

    0

  22. Toni Swinfield 2 months ago

    Hi,

    Thanks for your post, I have managed to do everything said and the idlelogoff.exe copied fine to the local PC using GPO however I'm running Windows 10 on my client and it doesn't actually run the .exe! When I try run this manually it says its not compatible with Win 10.

    Do you have a version of this tool that is compatible?

    Thanks

    Toni

    0

  23. Franco 2 months ago

    Thanks for the article! It's been really useful to manage the lab at the school!

    Greetings from Chile!

    0

  24. Nitin Pandey 2 months ago

    This was extremely helpful for managing a call center environment. Thank you.

    0

  25. David 5 days ago

    I can't get the download to work on idlelogoff.exe.  Anybody else having this problem?

    0

Leave a reply to amer Click here to cancel the reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account