Lithnet.IdleLogoff – Log off users after periods of inactivity (with group policy support)
At the University I work for, we recently had an opportunity to redesign our student lab workstation environment from scratch. One of the seemingly simple requirements we had was to ensure that after a certain period of inactivity, users were logged off the machines. Sounds simple right?
Microsoft have a KB article that suggests a method to do this, but it’s not the best solution. It uses a screen saver as the timing mechanism, and starts a count-down timer in the background. If the user returns to the computer, they need to click a ‘cancel’ button that appears to stop them from being booted out. Not a very good user experience.
We couldn't find anything that did what we wanted. Something that would sit in the background, unobtrusively, and just log a user out after a predetermined amount of time. Oh, and it would be nice to control that amount of time if needed rather easily. Oh, and it would also be nice to disable the auto-logout completely if needed. And if its not asking too much, we want to be able to manage all this centrally.
So putting the screen saver idea aside, it sounded like it was time to develop a small app to do what we needed to. Lithnet.IdleLogoff was born…
As you can see, it is a really simple app, with only a few options for either enabling or disabling the agent and then setting the idle period. The app simply queries the relevant Windows API for the time since the user last interacted with the computer, and calls the logoff function after the specified period has elapsed. The power of this application comes from the fact you can either configure it locally, or manage it centrally via group policy.
The ADMX files are included in the installer. If you enable the setting, then the agent will be activated and log users off at the time you specify. If you disable the setting, then the agent will be disabled and will not log users off automatically. If you leave it as ‘not configured’, then whatever the local administrator of the PC has manually configured will take effect. Group policy will always override whatever you set locally.
To get started with the tool, install it and navigate to %ProgramFiles%\Lithnet\Lithnet.IdleLogoff, and run lithnet.idlelogoff.exe. This will launch the GUI to allow you to enable the agent, and configure the idle timeout. Alternatively, if you are configuring via group policy, then no further action is needed. Log off the workstation, and the next user to login will be subject to your idle logoff policy.
That’s it! No screen savers, message boxes, countdowns, beeps or other annoyances. Unobtrusive, simple, and centrally managed – my three requirements for anything that interacts with our managed desktops.
Download the latest version
Microsoft have a KB article that suggests a method to do this, but it’s not the best solution. It uses a screen saver as the timing mechanism, and starts a count-down timer in the background. If the user returns to the computer, they need to click a ‘cancel’ button that appears to stop them from being booted out. Not a very good user experience.
We couldn't find anything that did what we wanted. Something that would sit in the background, unobtrusively, and just log a user out after a predetermined amount of time. Oh, and it would be nice to control that amount of time if needed rather easily. Oh, and it would also be nice to disable the auto-logout completely if needed. And if its not asking too much, we want to be able to manage all this centrally.
So putting the screen saver idea aside, it sounded like it was time to develop a small app to do what we needed to. Lithnet.IdleLogoff was born…
As you can see, it is a really simple app, with only a few options for either enabling or disabling the agent and then setting the idle period. The app simply queries the relevant Windows API for the time since the user last interacted with the computer, and calls the logoff function after the specified period has elapsed. The power of this application comes from the fact you can either configure it locally, or manage it centrally via group policy.
The ADMX files are included in the installer. If you enable the setting, then the agent will be activated and log users off at the time you specify. If you disable the setting, then the agent will be disabled and will not log users off automatically. If you leave it as ‘not configured’, then whatever the local administrator of the PC has manually configured will take effect. Group policy will always override whatever you set locally.
To get started with the tool, install it and navigate to %ProgramFiles%\Lithnet\Lithnet.IdleLogoff, and run lithnet.idlelogoff.exe. This will launch the GUI to allow you to enable the agent, and configure the idle timeout. Alternatively, if you are configuring via group policy, then no further action is needed. Log off the workstation, and the next user to login will be subject to your idle logoff policy.
That’s it! No screen savers, message boxes, countdowns, beeps or other annoyances. Unobtrusive, simple, and centrally managed – my three requirements for anything that interacts with our managed desktops.
Download the latest version
Change log
Date | Version Details |
29/01/2012 | 1.0.4411 Initial release |
25/11/2014 | 1.0.5442 Updated to provide support for user-based GPO settings |
11/07/2016 | 1.1.6016 New combined installer for application and GPO extensions and built on .NET Framework 4.5.2 |
Comments
We do use the tool on a (mostly) Windows XP fleet. ADMX files are only used when editing a GPO, they are not used in the application of the GPO settings to a workstation.
If you install the group policy console (part of RSAT) on a Windows 7/Server 2008 machine, just copy the ADMX to the %systemroot%\policyDefinitions folder on the machine as per the instructions in the link in the post, and you will be able to create and edit the policy.
The process is the same, but you will need to use the GP management console a Windows 7/Server 2008 R2 machine to import the ADMX and edit the policy settings. Unfortunately it cannot be edited with the GP console on Windows XP/Server 2003.
The policy will apply to those operating systems, it just cant be edited with them.
Ryan
I just tried this configuration locally and with Group Policy, i have imported the admx file to the central store.
I was able to edit the GPO to enable it 30 minutes log off, but this will not work locally or with GPO.
All my clients are Win7, any suggestions?
I deployed it via GPO. The software gets deployed but after the 3 minute timeout that I specified, nothing happens.
Do you have any idea what the issue may be or how I can troubleshoot?
Thanks!
The ADMX file is installed at C:\Windows\PolicyDefinitions. Endure you grab the ADML file in the en-US folder as well if you are copying it to a central store.
Ryayyn
You'll need to test this scenario. From memory, I think it does, but we use it in combination with another group policy that prevents the workstation from being locked in the first place.
Ryan
My question is, if the station is locked and the station is installing Windows Updates. What will happen if the time configured is reached: a) It will logoff the user b) It won't take any action since it is not 'idle' because it is installing updates.
Thanks
I've created a feature request for this over on github for you to keep track of
https://github.com/lithnet/idle-logoff/issues/1
Ryan
I've actually modified the app to not log people off during a video conference. Have a look and see if this meets your needs. https://github.com/lithnet/idle-logoff/releases/tag/v1.1.6412
Follow up with me on github and let me know your thoughts.
Ryan
I have set another GPO ( User Configuration/Windows Settings/Scripts/Logoff... running a shutdown -r -t 0 ) in order to reboot the PC each time there is a logoff ( working ok ).. but when your application triggers a logoff the GPO that should reboot the computer do nothing. do you have any idea why your application is not detected by this setting as an actual logoff?
Thanks!
shutdown -l -t 0
then try this one
shutdown -l -t 0 -f
The -f simulates the force flag used in the API call to log the user off. If your restart script doesnt trigger when logging off using the command line with -f, then it's likely windows isn't allowing your instance of shutdown to start, because it knows the user is logging off.
If you need this functionality, I can probably built it natively into this tool. Raise a new issue requesting a feature request over on the github site. It's not that easy to converse and test in these comments.
Ryan
Love the program! We needed this as part of an audit we're going through to tighten up our network. It's working great on Windows 10, however I've tested 3 Windows 7 machines (both 32 and 64-bit) and I'm getting the following error when it's triggered to log off. Do you have any insight as to what might be causing it.
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.NullReferenceException: Object reference not set to an instance of an object.
at Lithnet.idlelogoff.Settings.get_Debug()
at Lithnet.idlelogoff.Program.EventTimer_Tick(Object sender, EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
lithnet.idlelogoff
Assembly Version: 1.1.6412.29452
Win32 Version: 1.1.6412.29452
CodeBase: file:///C:/Program%20Files%20(x86)/Lithnet/IdleLogoff/Lithnet.IdleLogoff.exe
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
1.1.6412 was a bad build. Try the latest release from here https://github.com/lithnet/idle-logoff/releases/tag/v1.1.6439
Sorry for the inconvenience caused on this one
Ryan
I was wondering if there was some way of having this run a file instead of logging out. e.g. When the idle time is reached, it runs a vbs script to inform the client it is logging out? Is there some way of changing this?
Thanks so much,
sb