Lithnet.IdleLogoff – Log off users after periods of inactivity (with group policy support)

At the University I work for, we recently had an opportunity to redesign our student lab workstation environment from scratch. One of the seemingly simple requirements we had was to ensure that after a certain period of inactivity, users were logged off the machines. Sounds simple right?
Microsoft have a KB article that suggests a method to do this, but it’s not the best solution. It uses a screen saver as the timing mechanism, and starts a count-down timer in the background. If the user returns to the computer, they need to click a ‘cancel’ button that appears to stop them from being booted out. Not a very good user experience.
We couldn't find anything that did what we wanted. Something that would sit in the background, unobtrusively, and just log a user out after a predetermined amount of time. Oh, and it would be nice to control that amount of time if needed rather easily. Oh, and it would also be nice to disable the auto-logout completely if needed. And if its not asking too much, we want to be able to manage all this centrally.
So putting the screen saver idea aside, it sounded like it was time to develop a small app to do what we needed to. Lithnet.IdleLogoff was born…
image
As you can see, it is a really simple app, with only a few options for either enabling or disabling the agent and then setting the idle period. The app simply queries the relevant Windows API for the time since the user last interacted with the computer, and calls the logoff function after the specified period has elapsed. The power of this application comes from the fact you can either configure it locally, or manage it centrally via group policy.
image
The ADMX files are included in the installer. If you enable the setting, then the agent will be activated and log users off at the time you specify. If you disable the setting, then the agent will be disabled and will not log users off automatically. If you leave it as ‘not configured’, then whatever the local administrator of the PC has manually configured will take effect. Group policy will always override whatever you set locally.
To get started with the tool, install it and navigate to %ProgramFiles%\Lithnet\Lithnet.IdleLogoff, and run lithnet.idlelogoff.exe. This will launch the GUI to allow you to enable the agent, and configure the idle timeout. Alternatively, if you are configuring via group policy, then no further action is needed. Log off the workstation, and the next user to login will be subject to your idle logoff policy.
That’s it! No screen savers, message boxes, countdowns, beeps or other annoyances. Unobtrusive, simple, and centrally managed – my three requirements for anything that interacts with our managed desktops.

Download the latest version

Change log

Date Version Details
29/01/2012 1.0.4411 Initial release
25/11/2014 1.0.5442 Updated to provide support for user-based GPO settings
11/07/2016 1.1.6016 New combined installer for application and GPO extensions and built on .NET Framework 4.5.2

Comments

Unknown said…
Can the methods used here be converted to an .adm file to work with WS2003 and XP clients? I have the need to apply such policies to fully utilize a log off script that i have in place to delete user profiles on log off.
Ryan Newington said…
Hi Dwayne,

We do use the tool on a (mostly) Windows XP fleet. ADMX files are only used when editing a GPO, they are not used in the application of the GPO settings to a workstation.

If you install the group policy console (part of RSAT) on a Windows 7/Server 2008 machine, just copy the ADMX to the %systemroot%\policyDefinitions folder on the machine as per the instructions in the link in the post, and you will be able to create and edit the policy.
Unknown said…
What I wanted to do was import it as a template similar to what I did some time ago in importing the .adm file that is provided with MS Steady State. All the policy options were imported to administrative templates allowing me to push them out to the client machines. Using Windows 2003 Server R2.
Ryan Newington said…
Hi Dwayne,

The process is the same, but you will need to use the GP management console a Windows 7/Server 2008 R2 machine to import the ADMX and edit the policy settings. Unfortunately it cannot be edited with the GP console on Windows XP/Server 2003.

The policy will apply to those operating systems, it just cant be edited with them.

Ryan
Unknown said…
Oh I see. Well thanks for the feedback
Anonymous said…
We are a non-profit with computer room filled with shared workstations. Users not logging off has been a problem we have struggled with for a while now. Your solutions works! Good work, you are the man!
J.D said…
Hello,
I just tried this configuration locally and with Group Policy, i have imported the admx file to the central store.
I was able to edit the GPO to enable it 30 minutes log off, but this will not work locally or with GPO.

All my clients are Win7, any suggestions?
Anonymous said…
Thanks! This thread is a few years old but the program and GPO works beautifully. Thanks for sharing!
GB said…
Hey there, thanks for this. I'm struggling to get it to work, though.
I deployed it via GPO. The software gets deployed but after the 3 minute timeout that I specified, nothing happens.
Do you have any idea what the issue may be or how I can troubleshoot?
Thanks!
Anonymous said…
Where is licensing information for this software? Is anyone free to use this?
Ryan Newington said…
Free for all to use.
udemfacadmin said…
This comment has been removed by the author.
udemfacadmin said…
Where exactly do I find the admx file? All I see on the download page is the msi installer. I've also checked the program folder after installing and there is no file in there. Thanks!
Ryan Newington said…
Hi @udemfacadmin,

The ADMX file is installed at C:\Windows\PolicyDefinitions. Endure you grab the ADML file in the en-US folder as well if you are copying it to a central store.

Ryayyn
udemfacadmin said…
This comment has been removed by the author.
udemfacadmin said…
Please disregard my last comment. I apparently had not logged off after doing the initial configuration. This is now functionning! Awesome!
Ryan Newington said…
Glad its working. We will use it today with Windows 10, so its fully supported on all current Windows operating systems
Unknown said…
Will it log out if the computer is locked by the user?
Unknown said…
Will it log out a locked user session ?
Ryan Newington said…
Hi Ghislain,

You'll need to test this scenario. From memory, I think it does, but we use it in combination with another group policy that prevents the workstation from being locked in the first place.

Ryan
Unknown said…
Ghislain: I can confirm that it DOES logoff, even if the station is locked (and this of course is intended in our environment).
Unknown said…
Ghislain: I can confirm that it DOES still logoff the user(s), even if the station is locked (and this of course is intended in our environment).
Ryan Newington said…
Thanks for confirming John!
Unknown said…
Hello
My question is, if the station is locked and the station is installing Windows Updates. What will happen if the time configured is reached: a) It will logoff the user b) It won't take any action since it is not 'idle' because it is installing updates.

Thanks

Unknown said…
Is there a way to potentially modify this to add additional options to allow for a message to pop indicating that they will be logged off? I know this goes against what the initial use was when written, but in my company we have conference rooms, demo rooms, and phone booths all over. The issue is many logon and dont logoff when done. This fixes that issue. However, for people in webex calls that are not giving any mouse or keyboard imput within 30 minutes are having issues with the computer suddenly logging out. There is no warning. For these one off instances I would like to find another way to warn users, but without paid solutions we have come up blank. Thanks!!
Ryan Newington said…
Hi Mark,

I've created a feature request for this over on github for you to keep track of
https://github.com/lithnet/idle-logoff/issues/1

Ryan
Ryan Newington said…
Mark,

I've actually modified the app to not log people off during a video conference. Have a look and see if this meets your needs. https://github.com/lithnet/idle-logoff/releases/tag/v1.1.6412

Follow up with me on github and let me know your thoughts.

Ryan
Unknown said…
Hello, We have implemented it in our environment, but I have the following question:
I have set another GPO ( User Configuration/Windows Settings/Scripts/Logoff... running a shutdown -r -t 0 ) in order to reboot the PC each time there is a logoff ( working ok ).. but when your application triggers a logoff the GPO that should reboot the computer do nothing. do you have any idea why your application is not detected by this setting as an actual logoff?

Thanks!
Ryan Newington said…
It may be because the 'force' option is used to close the session in the call to log off. To confirm this is the case, use the following command line to log a user off

shutdown -l -t 0

then try this one

shutdown -l -t 0 -f

The -f simulates the force flag used in the API call to log the user off. If your restart script doesnt trigger when logging off using the command line with -f, then it's likely windows isn't allowing your instance of shutdown to start, because it knows the user is logging off.

If you need this functionality, I can probably built it natively into this tool. Raise a new issue requesting a feature request over on the github site. It's not that easy to converse and test in these comments.

Ryan
Unknown said…
Hi Ryan,

Love the program! We needed this as part of an audit we're going through to tighten up our network. It's working great on Windows 10, however I've tested 3 Windows 7 machines (both 32 and 64-bit) and I'm getting the following error when it's triggered to log off. Do you have any insight as to what might be causing it.

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.NullReferenceException: Object reference not set to an instance of an object.
at Lithnet.idlelogoff.Settings.get_Debug()
at Lithnet.idlelogoff.Program.EventTimer_Tick(Object sender, EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
lithnet.idlelogoff
Assembly Version: 1.1.6412.29452
Win32 Version: 1.1.6412.29452
CodeBase: file:///C:/Program%20Files%20(x86)/Lithnet/IdleLogoff/Lithnet.IdleLogoff.exe
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:





When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
Ryan Newington said…
Hi Matt,

1.1.6412 was a bad build. Try the latest release from here https://github.com/lithnet/idle-logoff/releases/tag/v1.1.6439

Sorry for the inconvenience caused on this one

Ryan
Anonymous said…
Hi Matt,

I was wondering if there was some way of having this run a file instead of logging out. e.g. When the idle time is reached, it runs a vbs script to inform the client it is logging out? Is there some way of changing this?

Thanks so much,
sb