Enterprise Software

Force users to log off when their time is up


Last time, I told you how to control access to home and workgroup machines by implementing logon restrictions using the net user command ("Restrict logon access with this command"). In response, a loyal reader pointed out that, while this restricts logon, it does not force logoff.

Essentially, that means a user could remain logged on indefinitely as long as he or she logged on during an acceptable time -- that is, unless you use a reliable mechanism to force logoff and truly enforce the time restrictions you've set. This time, I'll tell you how to do just that.

Why you can't schedule logoff

Microsoft has admitted that you can't schedule a Windows XP-based computer to shut down and restart by using the AT command with Shutdown.exe. The reasoning is that, by default, tasks scheduled using the AT command run under the Local System account.

Shutdown.exe tries to enable certain rights before it executes the shutdown action. The Local System account doesn't have one of the rights that Shutdown.exe tries to enable, and therefore the action is unsuccessful. Specifically, the Local System account doesn't have the SeRemoteShutdownPrivilege right, which would enable the scheduled command to run.

Redmond's solution is two-fold: The company advises contacting support and requesting a special fix, and it also details a workaround to the problem. In both cases, it comes down to modifying user rights.

As any administrator will tell you, this is generally a path you don't want to go down if you can help it. However, we can solve this problem with a simple freeware utility.

Get the utility

Beyond Logic Shutdown for NT/2000/XP is a simple utility that you can schedule to run, and it will do the job every time without modifying user rights. Download the utility, and extract it into a directory. Then, follow these steps:

  1. Go to Start | Run, type cmd, and press [Enter].
  2. Navigate to the directory where the extracted file resides.
  3. To view the different command parameters available, type shutdown /?.

Create a batch file

Using this utility, we'll create a batch file to run that enforces our time restrictions. Follow these steps:

  1. Go to Start | Run, type notepad, and press [Enter].
  2. Type shutdown -s -f -c -l 30 -m "Time restrictions are now forcing you to logoff; please save all your work."
  3. Go to File | Save, and name the file Shutpc.bat, and save it in the same directory as the utility.

With this command, we're forcing the machine to shut down, forcing applications to terminate at shutdown, preventing the user from cancelling the command, displaying a message box to inform the user what's happening, and giving the user 30 seconds to save all work.

Next, we'll schedule the batch file to run using the built-in scheduler. Follow these steps:

  1. Go to Start | Control Panel, and double-click the Schedule Tasks applet.
  2. Double-click Add Scheduled Task, and click Next.
  3. Click Browse, navigate to the Shutpc.bat file you just created, and double-click the file.
  4. You can change the name of the task or leave it; then, select Daily, and click Next.
  5. Configure the time you want to force logoff, and click Next.
  6. Enter the password for the account that's going to run this task (it should be an administrator account), and click Next.
  7. Select the Open Advanced Properties For This Task When I Click Finish check box, and click Finish.
  8. On the Settings tab, deselect the Power Management check box.
  9. Click OK, and you're finished!

Final thoughts

Restricting logon times is a great tool for managing home and small business security, but you've got to be able to force users to log off when their time is up. This utility makes it an easy process.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

41 comments
jkinlaw
jkinlaw

We are on running samba, and I setup a shutdown in xp using windows task scheduler. All I did was select shutdown.exe. In run I put C:\WINDOWS\system32\shutdown.exe /r. The /r forces a restart, at what ever time I scheduled. At the time I schedule a popup shows up saying it will shutdown in 30 seconds. No option to cancel it.

FAA
FAA

IS Decisions edits a 3rd-party tool that does that: UserLock. UserLock allows defining working hours and/or maximum session time for protected users. Outside of this (these) timeframe(s) and/or when time is up, users will be disconnected with prior warning. UserLock also comes with additional features like: - Multi-criteria access restrictions - Real-time monitoring and alerts - Historization, stats and reporting - Remote locking and logging off Full info and trial version here: http://www.userlock.com

massiej
massiej

For Windows systems you can use a free utility called PowerOff by J Bosman, available here < http://users.pandora.be/jbosman/applications.html >. It supports command line scripting and has an easy to use GUI. Works very well. I use it to manage automated shutdowns on 100+ student lab computers.

JDW1340
JDW1340

I found a command some time ago on my XP computer: shutdowncomputer.exe. Granted, I have been upgrading my machine since 98 SE but haven't seen it before. I use scheduler and call shutdowncomputer, it doesn't care what is going on with the computer, gives no warnings, and there is no way to stop it. BTW, it will shutdown the computer even if one or more applications have frozen it up. Once called, it will shut down the computer. I schedule my computer to shutdown at midnight each night to save energy. Haven't found on my son's Media Center computer or my wife's version of XP or Vista.

Lovs2look
Lovs2look

Isn't this article supposed to show you how to LOG off a user when their time has expired, but all the solutions are to do with re-booting or re-starting the PC. What if you JUST want the users to be forced to LOG off at midnight (or whenever time) can this be scheduled?

groon
groon

Did the author of this actually read the support document referenced in his sentence "Microsoft has admitted that you can???t schedule a Windows XP-based computer to shut down and restart by using the AT command with Shutdown.exe"? If he had, he would know that this problem was addressed by Microsoft three years ago with the release of Windows XP Service Pack 2. If there's anyone left running Windows XP without Service Pack 2, shutdown.exe will be among the least of their problems! Did the author actually try running the command AT SHUTDOWN -R -F on a Windows XP machine? If he had, he would have seen it work. How about a little fact checking before wasting our time next time?

bluescreen47
bluescreen47

About 10 years back I used a utility that automatically shut the computer down. It allowed a full screen message of your making, including any graphics you wanted, informing the current user that the computer would shut down. I set mine for 3 minutes, allowing for a quick exit of messenger. I got lots of complaints and laughs from my teenage kids, but I used this so I could go to bed and know they were NOT on the computer after a certain hour. I changed the message often to enforce it in their minds that THE COMPUTER WILL SHUT DOWN AT (WHATEVER)

CuMorrigu
CuMorrigu

I ran into the same problem some time back. You can use the psshutdown executable from Sysinternals. I set up a batch file to run from on of my servers every night at midnight that contains the following entry for each of my computers e:\disks\sysinternals\psshutdown -o -f \\(Machine Name) -u (Admin Account) -p (admin password) The location shown is just where I happen to have my Sysinternals programs stored I did this because I also have a couple of batch files set by group policy to run at logon and logoff that record what time the user is logging in/out Now if you are looking for a program that will allow you to create a batch file and run a command with different permissions try CPAU (Create Process As User) http://tinyurl.com/2jdmnv. I've found that to be a very handy little tool What I want to be able to do is be able to force screen lock WITH OUT having to force users to a specific screen saver

vikemnn
vikemnn

You are teaching Felons on how to steal and one is doingit on my computer. This is illegal don't you think?

Flash00
Flash00

The title pretty much says it all. Do you know a way to control how long a user can be logged on in a Linux system?

mlevine
mlevine

"Shutdown -a" will abort the shutdown

ooombaz
ooombaz

sorry but the schedueld task can be deleted by an aware user is there another solution Thanks for you all

CuMorrigu
CuMorrigu

I talked about this in an earlier post...I've found the best (read cheapest, it's free, and easiest) solution is to run a batch file using SysInternal psshutdown.exe. I have a batch file run on my server every night at mid-night that runs the command e:\disks\sysinternals\psshutdown -o -f \\(Machine Name) -u (Admin Account) -p (admin password) Now the above command when run and the appropriate blanks filled in will log the user off. You would need a line in the batch file for each machine you want to force logoff on. You can set the batch file to run whenever you want via the scheduler or the AT command. So you could have several batch files set to run at various time to log different users off. If you want to force make sure a user is logged off after a certain time, but not force someone to log in the middle of something I recommend using the winexit screen saver (http://support.microsoft.com/kb/314999). Install this screen saver on everyone's computer and specify it as the default screen saver via group policy, then set the screen saver timout via group policy and you can force a logout after say...10 minutes of inactivity.

CuMorrigu
CuMorrigu

I cannot speak for the Author, but I can speak for myself. I HAVE tried scheduling shutdown using the AT command and it does NOT work. All of my machines have XP Pro SP2 on them, I received a tasker from my president wanting me to track when users log in/log out. I have several users that refuse to log out. So I tried forcing the log out using the AT command and it wasn't working. It wasn't until I used the psshutdown tool from SysInternals that I had any luck.

rjcirtwell
rjcirtwell

I've been having a problem running any remote shutdown process when the user has open files (such as unsaved Word docs) on a network share. Any suggestions?

sdtasch
sdtasch

I deal with a network center & unfortunatly people turn off the monitor thinking they turned off the computer (don't ask). How can we shut down or log them off? (screw the open files.

lloyddrose
lloyddrose

I use Child Control at home. I can set a time window when each of my children may use the pc and I can also restrict the maximum amount of time each child may use the pc and within that time frame if required the maximum time each child may be on the internet.

MetalFR0
MetalFR0

This is what I use for doing a screen lock after 60 minutes of activity on my network. What I really need is an app, process, or system for forcing user logoff after so much activity on a PC-by-PC basis. I have a few multi-user PCs that are problematic where a user will forget to log off & I'm stuck having to either walk the user through a manual power down (if I can't get to a PC) or VNC to that machine to unlock it administratively. I've tried a couple apps that didn't work - any suggestions?

rschling
rschling

The sysinternals psshutdown has a switch for "lock" the machine (-l i think) would that do what you need?

Jim Rouse
Jim Rouse

Why not just use the that's in the folder. It can only be called or cancelled by an Administrator account. Place a cmd line like in a batch file and run as a System or Administrator privilged task.

jim
jim

I'll have what he's having!

Lovs2look
Lovs2look

Pass the bong over here dude....Phew! No...this article has nothing to do with identity theft, and if one is stealing info from you RIGHT NOW then WTF are doing in this forum? Unplug your internet and scan scan scan!

CuMorrigu
CuMorrigu

Say again, did I miss something there? I agree with one of the earlier replies, not only are you smoking something, but can I have some?

LAMCan
LAMCan

You smoking something there?

MikeGall
MikeGall

Several useful commands: logout /sbin/shutdown /sbin/poweroff /sbin/reboot You could schedule a cron job to run this command at a certain time. It doesn't seem like the utility talked about here actually solves the specific problem, it is scheduling a logoff at a certain time, but what if you want to make sure that users aren't logged in for longer than x-minutes (say a public access terminal? I can think of a way to accomplish this in both Windows and linux but it would be a little bit of a pain. You'd schedule one task to run at startup, which would save the system time at that time. Then another one that would run say every 5 minutes. If the difference between the current time and the saved time exceeds what you want, then you call the logout command or whatever. The login time is probably saved somewhere in both Windows and linux, some linux use /var/log/lastlog, but that could vary between distros.

Lovs2look
Lovs2look

Thanks for a great post, very useful, but I still have a problem with calling a program "PSShutdown" to log off a user. Why not call it PSLogoff if that's all it does? I still think that this will SHUTDOWN the PC when I only want all files closed and user logged off so that backups can happen overnight. Don't want PC to be shut down. I will go have a look at this utility and see what else it does, so thanks for the ideas. BTW does that mean I need a line for EACH pc that I want logged out? Sheesh! There has to be a better way, don't you think. Why is there a setting in Group Policy to log off users after their time has expired if it don't work. Good on ya M$!

CuMorrigu
CuMorrigu

I ran into a similar problem, I fixed it by using the Sysinternals psshutdown.exe tool.

david_scott
david_scott

while this does not actuall shut a machine down or log a person out of their desktop, on an ms network you can use group policy to "unauthenticate them" to the domain and not allow reauthentication until a certain time. its under computer configuration, windows settings, security settings,local policies security options, "Network security: Force logoff when logon hours expire" the logon hours specified for the computer can be defined in active directory.

CuMorrigu
CuMorrigu

I don't think that is really good for a business solution. Not very many employees I've worked with, work a set time every day. You come in at ABOUT the same time and leave at ABOUT the same time, maybe. I know at my company though a project manager my have to work much later one night and I know I don't want to constantly play babysitter and reset their time or go in and allow them more time for that day. I still think the best bet would be to use the winexit.scr screen saver. It might take a few minutes to configure, but it is the best bet for insuring a logoff if someone leaves and leaves their computer logged in. Set it for say 10 or 15 minutes, if you install it on everyone's you can specify it as the SS by Group policy and do all the settings via group policy, and you can easily write a batch file to put the SS in the correct directory or if you feel more comfortable you can still 'touch' every machine by using the admin share.

CuMorrigu
CuMorrigu

It also has a switch to shut off the machine. But no, the problem is, I have by group policy defined that the users screen saver will kick on after 40 minutes (too long I know, but that was a compromise), I had also until recently defined by policy what screen saver they had to use. The user can change neither of those. Now I recently switched the policy settings to allow the users to choose their screen saver, if you do that though, the user can avoid the forced screen lock by simply setting the screen save to none. What I'm looking for is a way to make sure that the screen locks after a set time of inactivity, but still allow the user the ability to chose what screen saver they use.

Lovs2look
Lovs2look

Have had a look at the util which DOES just do logoffs, so thanks very much for your insights. Will be busy composing the batch file now. We have 70 PCs to the site so it'll be a biggy, but thinking about it not all PCs have multi users so probably can trim that down to 50 or so. Once again thanks alot for helping me out on this one...it SHOULD be easier than this tho'.

CuMorrigu
CuMorrigu

There are a couple of ways you can do this (see some of my posts earlier). Sysinternals has a good little tool psshutdown.exe: I run this batch file from my server every night at midnight - e:\disks\sysinternals\psshutdown -o -f \\(Machine Name) -u (Admin Account) -p (admin password) (I have a line for each computer) Now that being said, that's good if you are in an environment with few computers that closes down at a certain time, with few if any users working past that time. I have managed the computers for a call center though, what I think you would really want is the Winexit.scr. You can install that screen saver on everyone's computer and then force everyone to use that as their screen saver by group policy. Also by group policy you go in and set the time on the screen saver and after a predefined time of inactivity it will force the user to log off. http://support.microsoft.com/kb/314999

CuMorrigu
CuMorrigu

You can if you just install winexit.scr on those specific computers and set it as the screen saver. You then create an OU for those computer and create a group policy for that OU that enforces Winexit.scr as the screen saver at sets a 'logout' time. I myself have a different OU for my Laptops and Desktops and different policies enforced on both.

MetalFR0
MetalFR0

I don't want to do this for all users, or even for those in a specific OU. I have a handful of isolated PCs that I want to be able to force logoff for. Multi-user machines that our physicians forget to log out of, or sometimes our ambulance personnel. I'm not sure if I can set Winexit.scr to function that way.

CuMorrigu
CuMorrigu

This is true and how I have my settings, however if you get a smart user/lazy user/someone that just doesn't like screen savers, then if they set their Screen Saver to none, you bypass all of this. That is all a user has to do to not be affected by this UNLESS you force a particular SS on them by policy as well (something I'm trying to avoid doing...again)

Double DeBo
Double DeBo

This is for Windows 2003 Server, it works for Windows XP Pro and 2000 Pro Clients. You can enable the Screen Save by Group Policy, Lock the Screen with the screen saver and still allow the user to choose what Screen Saver they would like to use. -------------------------- User Configuration Administrative Templates Control Panel/Display Policy/Setting Password Protect Screen Save/Enabled Screen Saver Timeout/ ----------------------------- Those settings will activate the screen save after 30 minutes of inactivity, the user will have to use CTRL,ALT,DEL, then log back in with domain password to continue working.

Editor's Picks