Force Logoff Users after Inactivity using Active Directory Group Policy
In an organization with many user accounts, some users might forget to log off from the server. Sometimes users may be logged in long after their work has been completed. Besides security purposes, administrators need to force logoff users after inactivity for maintenance purposes. In addition to this, being logged in for an extended period leads to an increase in the consumption of power, CPU cycles, and memory. This in turn affects the system performance. To avoid these issues, administrators have to automatically log off users when the logon time expires.
Using Group Policy to Force Logoff Users
To force logoff users after specific logon hours or after inactivity, Active Directory Group Policy Objects (GPOs) can be used. This can be done using the group policy namely Network security: Force logoff when logon hours expire.
Network security: Force logoff when logon hours expire
This policy can be configured in order to force logoff users after the expiration of their logon hours. This is used to determine if the users who are logged in to the local computer outside their valid logon hours can be disconnected, and affects the Server Message Block (SMB) component. When this policy is enabled, client sessions with the SMB server are disconnected forcibly, at the expiration of the valid logon hours. However, when this policy is disabled client sessions are continued even after the expiration of the client’s logon hours. By enabling this policy, the administrator can make sure that the user cannot login to the system until their next valid access time. This must be enabled on the Default Domain Policy GPO for the domain, to be enforced on domain accounts. A user can be logged off forcibly using this policy by following the steps given below.
Setting User Logon Hours
The first step in configuring the policy mentioned above is to set the permitted logon hours for individual users. This can be done by following the steps given below.
- Open Active Directory Users and Computers (ADUC).
- Navigate to the user account for which the logon hours need to be restricted.
- Right-click on the desired user account and select the Properties option.
- In the Properties dialog box, under the Account tab, click on Logon Hours.
- In the Logon Hours window, select the time duration for which logon is permitted and select the Logon denied option. The permitted hours are represented in blue and the restricted hours are represented in white.
- Group Policy to Force Logoff Users after Logon Hours
- After the permitted logon hours have been set for a user, the next step is to configure the group policy to disconnect users after their logon hours have expired. This can be done using the instructions given as follows.
- Open the Group Policy Management Console (GPMC).
- Right-click on Group Policy Objects and select the New option.
- Enter an appropriate name for the new group policy (For example, Force Logoff) and click OK. Select the new GPO and add or remove users in the Security Filtering section.
- Right-click on the GPO and click Edit.
- Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
- From the right pane of the console, select the Network security: Force logoff when logon hours expire policy.
- In the Security Policy Setting tab, select the Define this policy setting checkbox. Select the Enabled option and click OK.
Thus the users who are logged in after their valid logon hours will be disconnected from their sessions with the SMB server. As a result, users are automatically logged off when their logon time expires.