Force users to log off when their time is up

Last time, I told you how to control access to home and workgroup machines by implementing logon restrictions using the net user command ("Restrict logon access with this command"). In response, a loyal reader pointed out that, while this restricts logon, it does not force logoff.

Essentially, that means a user could remain logged on indefinitely as long as he or she logged on during an acceptable time -- that is, unless you use a reliable mechanism to force logoff and truly enforce the time restrictions you've set. This time, I'll tell you how to do just that.

Why you can't schedule logoff

Microsoft has admitted that you can't schedule a Windows XP-based computer to shut down and restart by using the AT command with Shutdown.exe. The reasoning is that, by default, tasks scheduled using the AT command run under the Local System account.

Shutdown.exe tries to enable certain rights before it executes the shutdown action. The Local System account doesn't have one of the rights that Shutdown.exe tries to enable, and therefore the action is unsuccessful. Specifically, the Local System account doesn't have the SeRemoteShutdownPrivilege right, which would enable the scheduled command to run.

Redmond's solution is two-fold: The company advises contacting support and requesting a special fix, and it also details a workaround to the problem. In both cases, it comes down to modifying user rights.

As any administrator will tell you, this is generally a path you don't want to go down if you can help it. However, we can solve this problem with a simple freeware utility.

Get the utility

Beyond Logic Shutdown for NT/2000/XP is a simple utility that you can schedule to run, and it will do the job every time without modifying user rights. Download the utility, and extract it into a directory. Then, follow these steps:

  1. Go to Start | Run, type cmd, and press [Enter].
  2. Navigate to the directory where the extracted file resides.
  3. To view the different command parameters available, type shutdown /?.

Create a batch file

Using this utility, we'll create a batch file to run that enforces our time restrictions. Follow these steps:

  1. Go to Start | Run, type notepad, and press [Enter].
  2. Type shutdown -s -f -c -l 30 -m "Time restrictions are now forcing you to logoff; please save all your work."
  3. Go to File | Save, and name the file Shutpc.bat, and save it in the same directory as the utility.

With this command, we're forcing the machine to shut down, forcing applications to terminate at shutdown, preventing the user from cancelling the command, displaying a message box to inform the user what's happening, and giving the user 30 seconds to save all work.

Next, we'll schedule the batch file to run using the built-in scheduler. Follow these steps:

  1. Go to Start | Control Panel, and double-click the Schedule Tasks applet.
  2. Double-click Add Scheduled Task, and click Next.
  3. Click Browse, navigate to the Shutpc.bat file you just created, and double-click the file.
  4. You can change the name of the task or leave it; then, select Daily, and click Next.
  5. Configure the time you want to force logoff, and click Next.
  6. Enter the password for the account that's going to run this task (it should be an administrator account), and click Next.
  7. Select the Open Advanced Properties For This Task When I Click Finish check box, and click Finish.
  8. On the Settings tab, deselect the Power Management check box.
  9. Click OK, and you're finished!

Final thoughts

Restricting logon times is a great tool for managing home and small business security, but you've got to be able to force users to log off when their time is up. This utility makes it an easy process.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.