Announcement

Collapse
No announcement yet.

The End Session policy and all user accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The End Session policy and all user accounts

    Hi

    In Windows 8 Enterprise 64-bit, how come if I add a script to this policy "User Configuration ---> Windows Settings ---> Scripts (Logon/Logoff) ---> End Session", this script applies only to the current account, and not to all accounts?

    Thanks

    Bye
    balubeto

  • #2
    Re: The End Session policy and all user accounts

    Assuming this is a Local Policy script and not a domain GPO, there are multiple local policies:
    http://technet.microsoft.com/en-us/l.../cc731758.aspx

    Probably you have edited a user specific one rather than a more global one

    Thank you
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: The End Session policy and all user accounts

      Originally posted by Ossian View Post
      Assuming this is a Local Policy script and not a domain GPO, there are multiple local policies:
      http://technet.microsoft.com/en-us/l.../cc731758.aspx

      Probably you have edited a user specific one rather than a more global one

      Thank you
      Instead, I should make sure that the execution of a command is performed each time that a work session of each user ends.

      By chance, there is a policy or a registry key to do this?

      Thanks

      Bye
      balubeto

      Comment


      • #4
        Re: The End Session policy and all user accounts

        Yes, there are local policies that apply to multiple users. Did you read the link I gave you -- it explains it all
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: The End Session policy and all user accounts

          Originally posted by Ossian View Post
          Yes, there are local policies that apply to multiple users. Did you read the link I gave you -- it explains it all
          Sorry but, reading this article http://technet.microsoft.com/en-us/l.../cc753583.aspx , the policy mentioned is applied only to the current user and not to each user, as I would like. Right?

          Thanks

          Bye
          Last edited by balubeto; 27th May 2013, 11:18.
          balubeto

          Comment


          • #6
            Re: The End Session policy and all user accounts

            Please read the link I gave you in Post #2 (to save you scrolling up a few lines, it is http://technet.microsoft.com/en-us/l.../cc731758.aspx)

            The key part is:
            Multiple Local Group Policy is a collection of Local Group Policy objects (LGPOs) designed to provide improved management for computers that are not part of a domain. This collection consists of the following LGPOs:
            • Local Computer Policy . This LGPO applies policy settings to the computer and any users logging on to the computer. This is the same LGPO that was included in earlier versions of Microsoft Windows.
            • Administrators Local Group Policy . This LGPO applies user policy settings to members of the Administrators group.
            • Non-Administrators Local Group Policy . This LGPO applies user policy settings to users who are not included in the Administrators group.
            • User-Specific Local Group Policy . This LGPO applies user policy settings to a specific local user.


            I don't know where you got your link from, but the method to apply the script can be applied to any of the four types of policy.
            Last edited by Ossian; 27th May 2013, 11:23.
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: The End Session policy and all user accounts

              Originally posted by Ossian View Post
              Please read the link I gave you in Post #2 (to save you scrolling up a few lines, it is http://technet.microsoft.com/en-us/l.../cc731758.aspx)

              The key part is:[/LIST]
              I don't know where you got your link from, but the method to apply the script can be applied to any of the four types of policy.
              I have applied the article cited above but, unfortunately, the "End Session" policy still applies only to the current account.

              In Windows 8 Enterprise 64-bit, I have applied the "End Session" policy and it writes on the registry:

              Code:
              Windows Registry Editor Version 5.00
              [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff]
              [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\0]
              "GPO-ID"="LocalGPO"
              "SOM-ID"="Local"
              "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\User"
              "DisplayName"="Criteri gruppo locale"
              "GPOName"="Criteri gruppo locale"
              "PSScriptOrder"=dword:00000001
              [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\0\0]
              "Script"="C:\\Windows\\System32\\reg.exe"
              "Parameters"="add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI\\UserSwitch /v Enabled /t REG_DWORD /d 1 /f"
              "IsPowershell"=dword:00000000
              "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3137485388-3153590309-3382964295-1001\Scripts\Logoff]
              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3137485388-3153590309-3382964295-1001\Scripts\Logoff\0]
              "GPO-ID"="LocalGPO"
              "SOM-ID"="Local"
              "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\User"
              "DisplayName"="Criteri gruppo locale"
              "GPOName"="Criteri gruppo locale"
              "PSScriptOrder"=dword:00000001
              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3137485388-3153590309-3382964295-1001\Scripts\Logoff\0\0]
              "Script"="C:\\Windows\\System32\\reg.exe"
              "Parameters"="add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI\\UserSwitch /v Enabled /t REG_DWORD /d 1 /f"
              "ExecTime"=hex(b):dd,07,05,00,01,00,1b,00,11,00,03,00,18,00,d2,00
              "ErrorCode"=dword:00000000
              [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3137485388-3153590309-3382964295-1001\Scripts\Logoff]
              [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3137485388-3153590309-3382964295-1001\Scripts\Logoff\0]
              "GPO-ID"="LocalGPO"
              "SOM-ID"="Local"
              "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\User"
              "DisplayName"="Criteri gruppo locale"
              "GPOName"="Criteri gruppo locale"
              "PSScriptOrder"=dword:00000001
              [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3137485388-3153590309-3382964295-1001\Scripts\Logoff\0\0]
              "Script"="C:\\Windows\\System32\\reg.exe"
              "Parameters"="add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI\\UserSwitch /v Enabled /t REG_DWORD /d 1 /f"
              "ExecTime"=hex(b):dd,07,05,00,01,00,1b,00,11,00,03,00,18,00,d2,00
              "ErrorCode"=dword:00000000
              [HKEY_USERS\S-1-5-21-3137485388-3153590309-3382964295-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff]
              [HKEY_USERS\S-1-5-21-3137485388-3153590309-3382964295-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\0]
              "GPO-ID"="LocalGPO"
              "SOM-ID"="Local"
              "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\User"
              "DisplayName"="Criteri gruppo locale"
              "GPOName"="Criteri gruppo locale"
              "PSScriptOrder"=dword:00000001
              [HKEY_USERS\S-1-5-21-3137485388-3153590309-3382964295-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\0\0]
              "Script"="C:\\Windows\\System32\\reg.exe"
              "Parameters"="add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI\\UserSwitch /v Enabled /t REG_DWORD /d 1 /f"
              "IsPowershell"=dword:00000000
              "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

              Now, as I should do so that these keys are automatically applied to each user of the system and to each edition of Windows 8.

              By chance, is there some other trick to do this?

              Thanks

              Bye
              balubeto

              Comment


              • #8
                Re: The End Session policy and all user accounts

                So, someone had a brilliant idea to solve this?

                Thanks

                Bye
                balubeto

                Comment


                • #9
                  Re: The End Session policy and all user accounts

                  Originally posted by balubeto View Post
                  I have applied the article cited above but, unfortunately, the "End Session"-logoff script policy still applies only to the current account.
                  This "current" user is probably member of the administrators local group? unlike the other accounts who're logging in and off.
                  Did you disabled UAC btw??


                  Regular user do not have permissions to edit the "..\Group policy\" keys under HKCU. And regular users do also not have permissions to edit any key under HKLM.

                  Therefore i.e. this user 'logof script':
                  "Script"="C:\\Windows\\System32\\reg.exe"
                  "Parameters"="add HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Authentication\\LogonUI\\ UserSwitch /v Enabled /t REG_DWORD /d 1 /f"
                  will never work.



                  balubeto - You have started several threads in this forum of which each begins as a new topic but eventualy after, sometimes difficult, discussions ends all with one and the same solution. I start to wonder why you bother us with hypothetical questions in new topics and not just posting your real question/goal and stick with that one until you've gotten the answer?

                  similar threads;


                  /Rems
                  Last edited by Rems; 5th June 2013, 22:26.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: The End Session policy and all user accounts

                    Originally posted by balubeto View Post
                    Hi

                    In Windows 8 Enterprise 64-bit, how come if I add a script to this policy "User Configuration ---> Windows Settings ---> Scripts (Logon/Logoff) ---> End Session", this script applies only to the current account, and not to all accounts?

                    Thanks

                    Bye

                    That is correct that it only applies to the current user. Think about it like a machine.....you told it to run a logoff/logon script but not everyone logs in at once so you only apply this script to the user that did log in. The "machine" is doing exactly what you asked. Now if you made this a STARTUP/Shutdown script then that would affect the computer and possibly all users depending on what your script does.

                    Comment

                    Working...
                    X