« Creating Custom Policies (.ADM files) | Main | Custom Login prompt: Helping users log in »

March 09, 2005

Automatically log off users

One of the concerns I had with Active Directory in the Nord Computer Lab was that users would forget to log off their account. Previously, the computers automatically logged on as a generic user, so people had a habit of not logging off. One way to remedy this situation is the WINEXIT.SCR screensaver which is part of the Windows Server 2003 Resource Kit Tools

Copy the file to C:\WINDOWS\SYSTEM32 on each computer, and use the group policy management console to set this as the default screensaver and set the timeout period. You MUST also change the permission on a registry key for the screensaver to work for all users of the machine. See KB156677: Logoff Screen Saver Does Not Function in Windows NT

By default, WINEXIT.SCR presents the user with a dialog box 30 seconds before they are to be logged off, which is determined by when you've set the 'screensaver' to kick on. I wanted the dialog box to come on a lot earlier, say 5 minutes before hand to give the user time to react. You can also set WINEXIT.SCR to Force application termination, and insert a custom message. The following ADM file I wrote can be used with the group policy management console to configure these settings. Installing this will put a group of settings entitled "Winexit.scr Policy settings" under "User Configuration->Administrative Templates" in the GPMC.

;; Remember in GPMC to go View->Filtering ;; and uncheck "Only show policy settings that can be fully managed" ;; ;; David Carlin (djc6@case.edu) 2/25/2005 ;; ;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit CLASS USER CATEGORY !!Screen_Saver_Policy POLICY !!TERMINATE_APPS KEYNAME "Control Panel\Screen Saver.Logoff" VALUENAME ForceLogoff VALUEON "1" VALUEOFF "0" END POLICY POLICY !!COUNTDOWN_TIMEOUT KEYNAME "Control Panel\Screen Saver.Logoff" VALUENAME CountDownTimer VALUEON "300" END POLICY POLICY !!ENTER_DIALOG_MESSAGE KEYNAME "Control Panel\Screen Saver.Logoff" PART !!ENTER_DIALOG_MESSAGE EDITTEXT DEFAULT !!DEFAULT_MESSAGE VALUENAME DialogMessage END PART END POLICY END CATEGORY [strings] Screen_Saver_Policy="Winexit.scr Policy settings" TERMINATE_APPS="Terminate running applications" COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice" ENTER_DIALOG_MESSAGE="Warning message about being logged off" DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."

Posted by djc6 at March 9, 2005 11:00 PM

Trackback Pings

TrackBack URL for this entry:
http://blog.case.edu/djc6/mt-tb.cgi/627

Comments

This is just what I was looking for (ADM template for the winexit.src screen saver). Thanks!

Posted by: Matt Goheen at May 13, 2005 12:37 PM

How do I setup the adm file...or, where can find the .adm file to import it to my gpmc/

Posted by: mike at May 19, 2005 02:44 PM

Just copy/paste that code above into a file with a .ADM extention.

This website:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx

Explains how to create and use custom policies. Specifically, you should look at the section titled "Loading an .Adm File into the Group Policy Snap-in"

Posted by: David Carlin at May 19, 2005 10:42 PM

Unfortunately, I can't get it to work. I set everything up as suggested, however the customized logout time and message doesn't appear to take affect. I ensured that i loaded the adm, set permissions, adjusted registry, and enabled the three settings for the winexit adm. Everything works except for the settings specified in the custom adm.

Posted by: richard at June 21, 2005 08:24 PM

How do I set the amount of time that I want for the logoff to begin. Like I want to give my users 25 minutes and then start the notification screen saying they will log off automatically

Posted by: John Coyle at August 31, 2005 01:20 PM

David,
This is great. I have copied your adm file and loaded. Message box and Force application quit works very well, but the count down time 300 seconds doesn't work for regular user. It only put the default which is 30 seconds. Do you know how to fix this?

Thanks a lot for posting this

Posted by: Danyang Zhang at September 2, 2005 05:18 PM

The adm template is successfull in setting the correct registry keys in HKCU/ControlPanel/ScreenSaver.Logoff but winexit.scr does not read those settings, it reads the settings from the %systemroot%\control.ini file.

Whats wrong?

Posted by: Jon at October 21, 2005 03:44 PM

Great info; thank you!

Posted by: Jon Sibray at November 11, 2005 12:01 PM

Wonderful info you have here!
I'm not sure if any of the above concerns have been resolved or not, however I have a seperate question

I need the computer to lock after 5 minutes and logout after 10 minutes, any ideas?

Posted by: Kenny Calero at November 17, 2005 12:42 AM

how do you script a permission change on a registry key. I would like to use a GP logon script, but I am not sure how to actually change a permission on keys.

Posted by: Jay at November 30, 2005 10:41 AM

Hallo
i have done it with a small script to change the registry values and it works. But if I use a time of inactivity which is higher as 20 Minutes, the Screesaver does not start.
Has anybody a idee?

Posted by: Marc Frankenhauser at December 7, 2005 08:00 AM

Kenny Calero, here's an answer to your bit... if you are using Group Policy Objects to push settings, you can also do the same for registry keys.

While editing the policy, navigate to Conputer Configuration | Security Settings | Registry

Right-click and select "Add Key". You can browse to locate a key you have created on the workstation you are using, and once selected, can assign permissions to it. I suggest using "Authenticated Users" en-leiu of "Everyone" however - let's not forget the Everyone group also contains Hacker1, Hacker2, YouMomma, and any other non-existent account you may dream up. :)

Dustin

Posted by: Dustin Decker at January 18, 2006 11:15 AM

I created an MSI file that can be published via group policy that installs the winexit.scr file to the system32 directory and makes the necessary registry changes.

With the MSI file, you can do a complete enterprise install without going to each workstation.

The MSI file can be edited with the Microsoft's Orca (an MSI file editor) to change the domain/user group that requires access to the registry key.

TJ

Posted by: TJ Pierce at January 23, 2006 12:46 PM

TJ Pierce,

do you mind posting a link to this .msi file you created so that we can all use it?

Posted by: Alex at March 3, 2006 06:05 AM

You posted a .adm solution for the Winexit.scr for AD. It was very helpful thankyou. I did however modify it a small amount to get the default of 5 minute to be a variable. Following is the change I made to get it so you could put in via AD policy, any time, in seconds you choose.

POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME CountDownTimer
PART !!CountDownTimerFreqSpin NUMERIC DEFAULT 30
MIN 0 MAX 599940 SPIN 1
TXTCONVERT
VALUENAME "CountDownTimer"
END PART
END POLICY

[strings]
CountDownTimerFreqSpin="Time to Shutdown in seconds"

cheers -tc.

Posted by: Toby at April 6, 2006 02:26 PM

Toby I used your modified AD policy but when I select it the policy wont enable. Any ideas?

Posted by: Belinda at May 23, 2006 09:25 PM

I am using your custom ADM file but it does not seem to be working for me.Does the file had to be saved on the DC in windows\inf folder or can it be anywhere and just be imported in GPMC?

Posted by: Jean Mesidor at August 29, 2006 11:46 AM

"TJ Pierce,

do you mind posting a link to this .msi file you created so that we can all use it?"

Id like this .msi file too

Posted by: yallax at December 13, 2006 02:31 AM

I've played with the ADM suggested and found this works in as much as the timing customisation now works... (complete rewritten version)

;; Remember in GPMC to go View->Filtering
;; and uncheck "Only show policy settings that can be fully managed"
;;
;; David Carlin (djc6@case.edu) 2/25/2005
;;
;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit


CLASS USER


CATEGORY !!Screen_Saver_Policy


POLICY !!TERMINATE_APPS
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME ForceLogoff
VALUEON "1" VALUEOFF "0"
END POLICY


POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!CountDownTimerFreqSpin NUMERIC
VALUENAME "CountDownTimer"
MIN 0
MAX 599940
TXTCONVERT
DEFAULT 300
SPIN 15
END PART
END POLICY


POLICY !!ENTER_DIALOG_MESSAGE
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!ENTER_DIALOG_MESSAGE
EDITTEXT
DEFAULT !!DEFAULT_MESSAGE
VALUENAME DialogMessage
END PART
END POLICY


END CATEGORY


[strings]
Screen_Saver_Policy="Winexit.scr Policy settings"
TERMINATE_APPS="Terminate running applications"
COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice"
ENTER_DIALOG_MESSAGE="Warning message about being logged off"
DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."
CountDownTimerFreqSpin="Time to Shutdown in seconds"

Posted by: Martin Smallridge at March 31, 2007 06:04 PM

Hi.

When you registry keys are not working check out "HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ IniFileMapping" (search google for docu on IniFileMapping). Adding an @ before "USR:Control Panel\Screen Saver.Logoff" helped. Might need a restart.

Posted by: Hubert at June 11, 2007 05:20 AM

Thanks for the adm file. very helpful!

Posted by: Jan at June 4, 2008 03:40 PM

The following ADM includes the registry modify. You need to restart the machine after.

CLASS MACHINE

CATEGORY !!WinExitScr
POLICY !!EnableRegistry
EXPLAIN !!EnableRegistry_Help

KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini"
VALUENAME "Screen Saver.Logoff"
VALUEON "@USR:Control Panel\Screen Saver.Logoff"
VALUEOFF "USR:Control Panel\Screen Saver.Logoff"
END POLICY

END CATEGORY ; !!WinExitScr

CATEGORY !!AdministrativeServices

CATEGORY !!PolicyPolicies

POLICY !!UserPolicyMode
KEYNAME "Software\Policies\Microsoft\Windows\System"

EXPLAIN !!UserPolicyMode_Help

PART !!UserPolicyModeOp DROPDOWNLIST NOSORT
VALUENAME "UserPolicyMode"
ITEMLIST
NAME !!UserPolicyMode_Merge VALUE NUMERIC 1
NAME !!UserPolicyMode_Replace VALUE NUMERIC 2 DEFAULT
END ITEMLIST
END PART
END POLICY

END CATEGORY ; PolicyPolicies

END CATEGORY ; AdministrativeServices

;**************************************************************************************************

CLASS USER

CATEGORY !!Cpl

CATEGORY !!Display
CATEGORY !!WinExitScr

KEYNAME "Control Panel\Screen Saver.Logoff"

POLICY !!ForceLogoff
VALUENAME ForceLogoff
VALUEON "1"
VALUEOFF "0"
END POLICY

POLICY !!CountDownTimer
PART !!WarningTime TEXT END PART
PART " " NUMERIC TXTCONVERT REQUIRED
MIN 0 MAX 900 SPIN 60
VALUENAME CountDownTimer
DEFAULT "300"
END PART
END POLICY

POLICY !!DialogMessage
PART !!Message TEXT END PART
PART " "
EDITTEXT
DEFAULT !!DefaultMessage
VALUENAME DialogMessage
END PART
END POLICY

END CATEGORY ; !!WinExitScr

KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\System"

POLICY !!ScreenSaverActive
KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"

EXPLAIN !!ScreenSaverActive_Help
VALUENAME "ScreenSaveActive"
VALUEON 1
VALUEOFF 0
END POLICY

POLICY !!ScreenSaverFilename
KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"

EXPLAIN !!ScreenSaverFilename_Help
PART !!ScreenSaverFilename EDITTEXT
VALUENAME "SCRNSAVE.EXE"
END PART
END POLICY

POLICY !!ScreenSaverIsSecure
KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"

EXPLAIN !!ScreenSaverIsSecure_Help
VALUENAME "ScreenSaverIsSecure"
VALUEON 1
VALUEOFF 0
END POLICY

POLICY !!ScreenSaverTimeOut
KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"

EXPLAIN !!ScreenSaverTimeOut_Help
PART !!ScreenSaverTimeOut_Tip1 TEXT
END PART
PART !!Blank TEXT
END PART
PART !!ScreenSaverTimeOutFreqSpin NUMERIC DEFAULT 900
MIN 0 MAX 599940 SPIN 60
TXTCONVERT
VALUENAME "ScreenSaveTimeOut"
END PART
END POLICY

END CATEGORY ;Display

END CATEGORY ;;cpl


[strings]
AdministrativeServices="System"
PolicyPolicies="Group Policy"
UserPolicyMode_Help="Applies alternate user settings when a user logs on to a computer affected by this setting.\n\nThis setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.\n\nBy default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.\n\nTo use this setting, select one of the following modes from the Mode box:\n\n-- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.\n\n-- "Merge" indicates that the user settings defined in the computer's Group Policy \
objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.\n\nIf you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.\n\nNote: This setting is effective only when both the computer account and the user account are in Windows 2000 domains."
UserPolicyMode_Merge="Merge"
UserPolicyMode_Replace="Replace"
UserPolicyMode="User Group Policy loopback processing mode"
UserPolicyModeOp="Mode:"
CPL="Control Panel"
Display="Display"
ScreenSaverActive="Screen Saver"
ScreenSaverActive_Help="Enables desktop screen savers.\n\nIf you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver tab in Display in Control Panel. As a result, users cannot change the screen saver options.\n\nIf you do not configure it, this setting has no effect on the system.\n\nIf you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screensaver on the client is specified through the "Screensaver executable name" setting or through Control Panel on the client computer. Second, the screensaver timeout is set to a nonzero value through the setting or Control Panel.\n\nAlso, see the "Hide Screen Saver tab" setting."
ScreenSaverFilename_Help="Specifies the screen saver for the user's desktop.\n\nIf you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers on the Screen Saver tab in Display in Control Panel, which prevents users from changing the screen saver.\n\nIf you disable this setting or do not configure it, users can select any screen saver.\n\nIf you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.\n\nIf the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.\n\nNote: This setting can be superseded by the "Screen Saver" setting. If the "Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run."
ScreenSaverFilename="Screen Saver executable name"
ScreenSaverIsSecure_Help="Determines whether screen savers used on the computer are password protected.\n\nIf you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.\n\nThis setting also disables the "Password protected" check box on the Screen Saver tab in Display in Control Panel, preventing users from changing the password protection setting.\n\nIf you do not configure this setting, users can choose whether or not to set password protection on each screen saver.\n\nTo ensure that a computer will be password protected, also enable the "Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting.\n\nNote: To remove the Screen Saver tab, use the "Hide Screen Saver tab" setting."
ScreenSaverIsSecure="Password protect the screen saver"
ScreenSaverTimeOut="Screen Saver timeout"
ScreenSaverTimeOut_Tip1="Number of seconds to wait to enable the Screen Saver"
ScreenSaverTimeOutFreqSpin="Seconds:"
ScreenSaverTimeOut_Help="Specifies how much user idle time must elapse before the screen saver is launched.\n\nWhen configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.\n\nThis setting has no effect under any of the following circumstances:\n\n - The setting is disabled or not configured.\n\n - The wait time is set to zero.\n\n - The "No screen saver" setting is enabled.\n\n - Neither the "Screen saver executable name" setting nor the Screen Saver tab of the client computer's Display Properties dialog box specifies a valid existing screensaver program on the client.\n\nWhen not configured, whatever wait time is set on the client through the Screen Saver tab of the Display Properties dialog box is used. The default is 15 minutes."
WinExitScr=Settings for WinExit screen saver
ForceLogoff=Force running applications to close
CountDownTimer=Warn before logoff
WarningTime=Seconds to warn before logoff:
DialogMessage=Display message before logoff
Message=Message:
DefaultMessage=You will be logged off. Press cancel to abort.
EnableRegistry=Enable WinExit registry keys
EnableRegistry_Help=When you registry keys are not working check out "HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ IniFileMapping" (search google for docu on IniFileMapping). Adding an @ before "USR:Control Panel\Screen Saver.Logoff" helped. Might need a restart.
Blank=" "

; Online Help Strings
ADM_TITLE="Group Policy settings for Windows 2000, Windows XP, and the Windows Server 2003"
USER="User Configuration"
COMPUTER="Computer Configuration"
cOMPUTER_EXPLAIN="Contains settings that may only be used to configure Computers."
USER_EXPLAIN="Contains settings that may only be used to configure Users."
SUPPORTEDON="Requirements:"

Posted by: Yibing at October 2, 2008 06:05 PM

OK - so we've deployed this solution at my company and I've found some instances where the machine was actually logged off, and the Auto Logoff sequence executed anyway, causing the display to go a blank blue color showing nothing, and the input is unresponsive. End result is that the system has to be power cycled in order to be made available again.
Anyone else run into this situation? Any idea of a fix so that Auto Logoff doesn't try to log off a machine that is already logged off?

BMac 8^D

Posted by: Brian Mc at May 29, 2009 03:16 PM