Re: Force user logoff's in GPO

From: "Erik Cheizoo" <echeizoo.XenD.nl@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Feb 2007 10:06:25 +0100

Be aware of the side effect (or actually main effect) of the "Interactive logon: Require Domain Controller authentication to unlock workstation" Policy. This will disable cached logon's, so a computer not able to contact a DC (e.g. a laptop on the road) will not allow any user logons!

Florian, can you please explain why this policy would be beneficial in this situation? I don't see the advantage of setting this policy for the problem described.

--
Kind regards,

Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================

"Florian Frommherz" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uVvKHnbSHHA.4188@xxxxxxxxxxxxxxxxxxxxxxx

Howdie!

Johnmac wrote:
hey everyone,
I'm all googled out! does anyone know if there is a way to force/automatically log off a user after x amount of minutes of inactivity in active directory? I looked in GPO and could not find a setting.

I don't know of a method with that you can actually log off the user from the machine and prevent him/her from logging on back. What are you trying to achieve? If you simply want to require the user to unlock the machine after a certain time, you could enable a password-enabled screen saver or have a look at the following policy:

CompConf\Windows Settings\Security Settings\Local Policies\Security Options" and there: "Interactive logon: Require Domain Controller authentication to unlock workstation"

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.

Follow-Ups:
- Re: Force user logoff's in GPO
  - From: Florian Frommherz

References:
- Re: Force user logoff's in GPO
  - From: Florian Frommherz

Prev by Date: Re: Password Expire
Next by Date: Re: dcdiag and OutboundSecureChannels? and nltest too
Previous by thread: Re: Force user logoff's in GPO
Next by thread: Re: Force user logoff's in GPO
Index(es):
- Date
- Thread

Relevant Pages

Re: Force user logoffs in GPO
... "Interactive logon: Require Domain Controller authentication to unlock workstation" Policy. ... By enabling that policy the user would need to authenticate with the domain controller rather than the machine only. ...
(microsoft.public.windows.server.active_directory)
Re: Disabling "Lock Computer" feature
... I have "Interactive logon: Require Domain Controller authentication to ... unlock workstation: set to "False". ...
(microsoft.public.windowsxp.security_admin)
Re: what gpo setting is this?
... English blog: http://lordoftheping.blogspot.com ... In the same place check for "Interactive Logon: ... For that policy you need to create a conflict policy that reverses ... Simple (Assuming that you moved that workstation ...
(microsoft.public.windows.server.active_directory)
Re: Administrator unable to log on Interactively
... > administrator is not able to log on interactively. ... Directory folders on the domain controllers for the domain group policy] ... Interactive Logon setting takes precedence over the Allow Interactive Logon ...
(microsoft.public.win2000.security)
Re: password expiration notification?
... The article tells me to set the policy "Interactive Logon: Prompt user to ... change password before expiration" which I have set to 14 days but for some ... I found this policy under Local Security Settings> Local Policies> ...
(microsoft.public.windows.server.general)