Sunday, January 29, 2012

Lithnet.IdleLogoff – Log off users after periods of inactivity (with group policy support)

At the University I work for, we recently had an opportunity to redesign our student lab workstation environment from scratch. One of the seemingly simple requirements we had was to ensure that after a certain period of inactivity, users were logged off the machines. Sounds simple right?
Microsoft have a KB article that suggests a method to do this, but it’s not the best solution. It uses a screen saver as the timing mechanism, and starts a count-down timer in the background. If the user returns to the computer, they need to click a ‘cancel’ button that appears to stop them from being booted out. Not a very good user experience.
We couldn't find anything that did what we wanted. Something that would sit in the background, unobtrusively, and just log a user out after a predetermined amount of time. Oh, and it would be nice to control that amount of time if needed rather easily. Oh, and it would also be nice to disable the auto-logout completely if needed. And if its not asking too much, we want to be able to manage all this centrally.
So putting the screen saver idea aside, it sounded like it was time to develop a small app to do what we needed to. Lithnet.IdleLogoff was born…
image
As you can see, it is a really simple app, with only a few options for either enabling or disabling the agent and then setting the idle period. The app simply queries the relevant Windows API for the time since the user last interacted with the computer, and calls the logoff function after the specified period has elapsed. The power of this application comes from the fact you can either configure it locally, or manage it centrally via group policy.
image
The ADMX files are included in the installer. If you enable the setting, then the agent will be activated and log users off at the time you specify. If you disable the setting, then the agent will be disabled and will not log users off automatically. If you leave it as ‘not configured’, then whatever the local administrator of the PC has manually configured will take effect. Group policy will always override whatever you set locally.
To get started with the tool, install it and navigate to %ProgramFiles%\Lithnet\Lithnet.IdleLogoff, and run lithnet.idlelogoff.exe. This will launch the GUI to allow you to enable the agent, and configure the idle timeout. Alternatively, if you are configuring via group policy, then no further action is needed. Log off the workstation, and the next user to login will be subject to your idle logoff policy.
That’s it! No screen savers, message boxes, countdowns, beeps or other annoyances. Unobtrusive, simple, and centrally managed – my three requirements for anything that interacts with our managed desktops.

Download the latest version

Change log

Date Version Details
29/01/2012 1.0.4411 Initial release
25/11/2014 1.0.5442 Updated to provide support for user-based GPO settings
11/07/2016 1.1.6016 New combined installer for application and GPO extensions and built on .NET Framework 4.5.2

24 comments :

Dwayne Smith said...

Can the methods used here be converted to an .adm file to work with WS2003 and XP clients? I have the need to apply such policies to fully utilize a log off script that i have in place to delete user profiles on log off.

Ryan Newington said...

Hi Dwayne,

We do use the tool on a (mostly) Windows XP fleet. ADMX files are only used when editing a GPO, they are not used in the application of the GPO settings to a workstation.

If you install the group policy console (part of RSAT) on a Windows 7/Server 2008 machine, just copy the ADMX to the %systemroot%\policyDefinitions folder on the machine as per the instructions in the link in the post, and you will be able to create and edit the policy.

Dwayne Smith said...

What I wanted to do was import it as a template similar to what I did some time ago in importing the .adm file that is provided with MS Steady State. All the policy options were imported to administrative templates allowing me to push them out to the client machines. Using Windows 2003 Server R2.

Ryan Newington said...

Hi Dwayne,

The process is the same, but you will need to use the GP management console a Windows 7/Server 2008 R2 machine to import the ADMX and edit the policy settings. Unfortunately it cannot be edited with the GP console on Windows XP/Server 2003.

The policy will apply to those operating systems, it just cant be edited with them.

Ryan

Dwayne Smith said...

Oh I see. Well thanks for the feedback

Anonymous said...

We are a non-profit with computer room filled with shared workstations. Users not logging off has been a problem we have struggled with for a while now. Your solutions works! Good work, you are the man!

J.D said...

Hello,
I just tried this configuration locally and with Group Policy, i have imported the admx file to the central store.
I was able to edit the GPO to enable it 30 minutes log off, but this will not work locally or with GPO.

All my clients are Win7, any suggestions?

Anonymous said...

Thanks! This thread is a few years old but the program and GPO works beautifully. Thanks for sharing!

Anonymous said...

Where is licensing information for this software? Is anyone free to use this?

Ryan Newington said...

Free for all to use.

udemfacadmin said...
This comment has been removed by the author.
udemfacadmin said...

Where exactly do I find the admx file? All I see on the download page is the msi installer. I've also checked the program folder after installing and there is no file in there. Thanks!

Ryan Newington said...

Hi @udemfacadmin,

The ADMX file is installed at C:\Windows\PolicyDefinitions. Endure you grab the ADML file in the en-US folder as well if you are copying it to a central store.

Ryayyn

udemfacadmin said...
This comment has been removed by the author.
udemfacadmin said...

Please disregard my last comment. I apparently had not logged off after doing the initial configuration. This is now functionning! Awesome!

Ryan Newington said...

Glad its working. We will use it today with Windows 10, so its fully supported on all current Windows operating systems

Ghislain Gamache said...

Will it log out if the computer is locked by the user?

Ghislain Gamache said...

Will it log out a locked user session ?

Ryan Newington said...

Hi Ghislain,

You'll need to test this scenario. From memory, I think it does, but we use it in combination with another group policy that prevents the workstation from being locked in the first place.

Ryan

John Schuepbach said...

Ghislain: I can confirm that it DOES still logoff the user(s), even if the station is locked (and this of course is intended in our environment).

Ryan Newington said...

Thanks for confirming John!

Mike Guyette said...

Is there a way to potentially modify this to add additional options to allow for a message to pop indicating that they will be logged off? I know this goes against what the initial use was when written, but in my company we have conference rooms, demo rooms, and phone booths all over. The issue is many logon and dont logoff when done. This fixes that issue. However, for people in webex calls that are not giving any mouse or keyboard imput within 30 minutes are having issues with the computer suddenly logging out. There is no warning. For these one off instances I would like to find another way to warn users, but without paid solutions we have come up blank. Thanks!!

Ryan Newington said...

Hi Mark,

I've created a feature request for this over on github for you to keep track of
https://github.com/lithnet/idle-logoff/issues/1

Ryan

Ryan Newington said...

Mark,

I've actually modified the app to not log people off during a video conference. Have a look and see if this meets your needs. https://github.com/lithnet/idle-logoff/releases/tag/v1.1.6412

Follow up with me on github and let me know your thoughts.

Ryan