fortypoundhead.com

Logoff User After Idle

Posted On 2017-09-27 by dwirch
Keywords:
Tags: Free Stuff General Blog 
Views: 962

Download Attachment


Recently, there was a request for our team to implement a new security requirement for workstations. Specifically, If a user remains logged in, but is idle for a specific period of time, that user should be logged out. 

After consulting the interwebs for a few minutes, all I could find were hacky solutions using vbscript, PowerShell, task scheduler, or screensavers that may or may not work. I don't need weird, chained together items. I just need something that works.

Concept

So, I cracked open my favorite Rapid Application Development (RAD) environment, and built something that fits the bill.  I had a few requirements, though.

  • No installation - I don't need a setup program, which makes deployment and update just a bit easier.
  • No dependencies - Deploying this program to any version of Windows should just work. No support libraries needed, not even .Net.
  • No interface - The program should run transparently to the user.
  • Configurable idle time -  Default to five minutes (300 seconds), but accept any number of seconds.

The program that I've put together meets all the criteria above. By utilizing API calls that are standard across the Windows product line, the program will run anywhere. Heck, it might even work in WINE, but I haven't tried it.

Further, no DLLs or other extras need to be distributed with it. No registering of random DLLs or any of that.

Usage

As mentioned, the program runs without dependencies. All you need to do is drop it in to a folder on a target machine. Or you could run it from a network share (it's small!), but I would recommend against that.

Next, you need to make sure the program runs at user logon. There are multiple ways to do this, but I've used Group Policy Objects (GPO) to get this done. In your Group Policy Management console, look for:

User Configuration \ Policies \Administrative Templates \ System \ Logon \ Run this programs at user logon

In the configuration of that policy, I've given the full path and filename for the executable, as it sits on the target system, like so:

c:\spdistro\scripts\SystemIdleCheck.exe 3600

You'll notice that in the example, I've configured the only command switch for the program. This switch is the idle time, in seconds. The example shows a value of 3600 seconds, or one hour. If no value is specified, a default value of 300 seconds (five minutes) is used.

Once again, there is no interface for the app, not even in the tray. The only indicator is the presence of the executable in Task Manager.

Warning

This program will forcefully log off the currently logged on user. It is possible for the user to lose anything they were working on that was not saved.

You have been warned.  Neither I nor anyone affiliated with this site is responsible for the use or misuse of this software.  It is provided free of charge, and there are no requirements for payment of any kind.

To Do

The only thing I have to add at the moment is logging. I'll be adding the capability of logging to the Windows event log. By using the event log, a standard central log aggregation service like Splunk or SCOM will be able to pick up on the idle logoff events, for audit purposes.

If anyone has any other ideas for things to add, I'm all ears.


About the Author

dwirch has posted a total of 188 articles.


Comments On This Post

By: AnonymousCoward
Date: 2017-12-08

This is perfect, is the code available or could you create one that switches users instead of log out this way the work is not lost.

By: dwirch
Date: 2017-12-09

Sorry - the source is not available. I might be able to manage locking the workstation, but why wouldn't simply enforce a screensaver at that point?

By: AnonymousCoward
Date: 2017-12-16

this sounds perfect thanks- it's crazy this still isn't baked into the OS. How can I get this to apply to specific users or groups (ie. users not admins)?

By: dwirch
Date: 2017-12-16

GPO for the win. Turn it on for Domain Users, then farther down in your GPO turn it off for admins (Domain Admins, Server Operators, etc.)


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:107.20.115.174

Before you can post, you need to prove you are human. If you log in, this test goes away.




Quick Links