General discussion


Group Policy Settings-Force User Logoff

By Kiyanie ·
I'm trying to create a group policy that will allow admins to set logon hours (when necessary) to force a user off the network.

I understand I need to enable two settings on the Computer Configuration Node to accomplish this:

Microsoft network server: Disconnect clients when logon hours expire


Network Security: Force Logoff when logon hours expire

We've added this to our default domain policy, however, while all other settings work, these two aren't.

Any ideas on how we can this happen?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by greyseal96 In reply to Group Policy Settings-For ...

I had this same exact problem myself. We have win2k and win2k3 dc's. The goal was that at a specified hour every night, users would be booted off to enforce the logon hours that we set. The only problem was that they weren't booted off. Between reading on technet and other websites, it looked like all those gp settings did was force their priveleges to access domain resources to "log off." What this means is that they couldn't access shares, etc. but it still didn't log them off of their computer. That seems kinda dumb to me. What we ended up doing was creating a couple of scripts. One script was the logoff event and one scheduled a time for it to run. In GP we put the "scheduling" script in the User Configuration--Windows Settings--logon scripts section and when the user logged on, a "one-time only" event was created that ran the logoff script. This way, at the specified time the user would be logged off and they wouldn't be able to log on to the domain, or their computer again. It has worked pretty well for us.

I'd also like to get a good explanation as to why those gp settings don't log the user off from their computer.

Collapse -

by Kiyanie In reply to

Poster rated this answer.

Collapse -

by CharTech In reply to Group Policy Settings-For ...

This policy was designed only to prevent access to network resources during the configured hours thus preventing any damage to resources such as sensitive files or changes to network configurations. It was never intended to prevent access to the client machine. The "Force logoff when hours expire" is deceiving. It simply means the user will be unable to authenicate themselves on the network. To quote microsoft "Force logoff when logon time expires. Determines whether to disconnect users who are connected to the local computer outside their valid logon hours. This setting affects the Server Message Block (SMB) component of a Windows 2000 server. When this policy is enabled, client sessions with the SMB server are disconnected when the client's logon hours expire. If this policy is disabled, an established client session can continue after the client's logon time expires." I agree it would be nice if the policy actaully forced the computer to logoff, but that cannot be done with a GPO. At least not to my knowlege.

Collapse -

by Kiyanie In reply to Group Policy Settings-For ...

This question was closed by the author

Related Discussions

Related Forums