Announcement

Collapse
No announcement yet.

Questions regarding locked accounts from inactivity

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Questions regarding locked accounts from inactivity

    What feature controls how long before a system locks the currently logged in profile due to inactivity? I am having issues, because I have a few users who constantly lock public workstations causing other users to not be able to use them.

    I want the system to log them off after inactivity, not lock. If this needs to go into the active directory forum, please move. Thanks.

  • #2
    Re: Questions regarding locked accounts from inactivity

    Seek and ye shall find:
    http://blog.case.edu/djc6/2005/03/09..._log_off_users

    You will need to deploy a particular screensaver (in the Server 2003 resource kit) and add the script given to Group Policy
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Questions regarding locked accounts from inactivity

      Originally posted by Ossian View Post
      Seek and ye shall find:


      You will need to deploy a particular screensaver (in the Server 2003 resource kit) and add the script given to Group Policy
      Thank you for trying, but I already did this. I installed winexit.scr to a dummy admin profile. I configured and tested it and then copied that to the default profile. But, I still have two users who's profiles are getting locked and can only be unlocked by administrator.

      The user knows her password, so it isn't like she is typing it in 15 times incorrectly. Out of fustration, I set login attempts to 15. I tested it when she was gone. I logged in as her, and let the profile sit for 20 minutes, which is what I set winexit.scr for. Still, her profile was locked after 20 minutes with no sign of logging itself off. Other profiles work, but not hers.

      Comment


      • #4
        Re: Questions regarding locked accounts from inactivity

        Sorry, my crystal ball must have been on the blink as I did not pick up anywhere in your post #1 that you had already tried deploying a solution and your problem is actually totally different to the question you ask "I want the system to log them off after inactivity, not lock"

        Have you specified Winexit.scr in your group policy, and have you added the .adm file as the link shows?
        Is winexit.scr definitely copied to the workstation?
        Have you deleted the user profile and tried with a new one?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Questions regarding locked accounts from inactivity

          My apoligies for not mentioning that. I did follow all steps, but I have not deleted the default profile and tried setting it up again. I would like to add that my understanding of AD is poor, but I am learning. I think there was a problem with how I setup the group policy.

          Many users have their own person work station, but also use public work stations. I didn't want to apply the policy to a user, but instead wanted to apply it to only public computers. I added two publicly used computers to an OU called "Public Computers". I right clicked on that OU, used the drop down to select properties, then create a new group policy. From here I set the policies I wanted. But it doesn't appear that those changes are being applied. Is it because I am applying computer objects instead of user objects? I made of the the changes from the "Public Computers" to the default policy listed under the domain, and those changes did take affect.

          Comment


          • #6
            Re: Questions regarding locked accounts from inactivity

            Ah... more details that the crystal ball missed....
            Do us all a favour and give all the relevant information in one go so you get properly relevant answers!

            What OS are your DCs running (and what OS are the public computers)?

            Screen Saver is a USER setting in GPO so applying it to an OU containing the computers will not do any good. To make it work you need to use loopback processing. Read this for more info:
            http://support.microsoft.com/kb/231287
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Questions regarding locked accounts from inactivity

              Originally posted by Ossian View Post
              Ah... more details that the crystal ball missed....
              Do us all a favour and give all the relevant information in one go so you get properly relevant answers!

              What OS are your DCs running (and what OS are the public computers)?

              Screen Saver is a USER setting in GPO so applying it to an OU containing the computers will not do any good. To make it work you need to use loopback processing. Read this for more info:

              I am using windows server 2003 standard. All computers on this domain run Windows XP Professional. Again my apoligies for not being more descriptive. I will take more time to describe details in the future. I was hoping for a quick and easy fix such as a setting that would allow me to kick users off instead of a lockout, but it appears that there is no easy setting to be changed.

              I will take some time to read and understand the link you posted about loopback processing.

              Comment


              • #8
                Re: Questions regarding locked accounts from inactivity

                Oh, one interesting point. I did testing, with this login. I set the screen saver to activate after one minute. I waited one minute, and the screen saver logged the user out with no issues. So I set everything up correctly, or at least correctly enough that it will work if set to a low number. Then when I set it up for 25 minutes, it only works some of the time.


                This just seems so odd to me.

                Comment


                • #9
                  Re: Questions regarding locked accounts from inactivity

                  When you say "some of the time", do you mean different occasions for the same user/pc or differently for different users / pcs ?
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Questions regarding locked accounts from inactivity

                    Originally posted by Ossian View Post
                    When you say "some of the time", do you mean different occasions for the same user/pc or differently for different users / pcs ?
                    Well I can't verify if it always locks the current user, so I probably shouldn't have said some of the time.

                    It works when I set the screen saver time limit to less that 15 minutes. Once the system locks the current user due to inactivity, winexit stops working. Can I change the amount of time before the system locks the current user. I could set it to 35 minutes, and then set the screen saver to log them off at 30 minutes.

                    Comment


                    • #11
                      Re: Questions regarding locked accounts from inactivity

                      Have you checked your power settings for anything kicking in between 15 and 30 minutes?
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Questions regarding locked accounts from inactivity

                        Originally posted by Ossian View Post
                        Have you checked your power settings for anything kicking in between 15 and 30 minutes?

                        Yep. When I setup the account that would become the default profile, I turned off all hibernation, sleep mode settings. Basically, only the monitor kicks off after 15, but everything else stays on.

                        I logged in as a domain user called tuser for test user. The default profile loaded everything correctly. The power settings are correct also. The registry permissions are correct also. I got pissed, and just set it to logoff at 14 minutes. This is working perfectly, on both machines. I just can;t figure out why it won't work after 15.

                        Comment

                        Working...
                        X