No announcement yet.

How to force AD users logon time out

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to force AD users logon time out

    I am having the problem that users stay logon on infinite, and I want them to be logged of automaticly after a certain time, lets say 4 hours of idle time.

    What is the problem with users who stayed logged on is that we provide a application through a website and IE keeps te password cached even when I close the browser, when another instance of IE is still open. So when a user hibernates of puts the machine to sleep the password is cachec indefinatly.
    And that is someting I want to prevent.

    In this case it is not an option to set time restriction on users logon, because of the way they work.


  • #2
    Re: How to force AD users logon time out

    sounds like you need to:
    a) configure the browsers via group policy to never cache passwords, under any circumstances


    b) configure a shorter life-span on the cookie for the actual application, making it force-logoff every session after 4 hours (or, 3 am for instance - that way they still log in at least once a day)


    c) develop your application to use single-signon technology.. that way they never need to sign in, or out, of the application.

    why do you need them logged out of the application out of interest?
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: How to force AD users logon time out

      There's no built in mechanism to force a user to log out of a computer they're logged on to locally. The setting "Force logoff when logon hours expire" disconnects users from SMB resources they are connected to, it does not log them out of their local session.

      If the users were accessing this web application from a TS/RDS server then you could logthem off of their TS/RDS session after 4 hours of idle time. As such, you might consider deploying the web application as a TS/RDS RemoteApp in order to achieve your goal.


      • #4
        Re: How to force AD users logon time out

        This is what you need to do

        To disable AutoComplete via GPO you can try the following.

        1. Open GPMC.
        2. Edit the relevant GPO.
        3. Browse to User Configuration/Windows Settings/Interent Explorer Maintenance.
        4. Right click on this and select Preference Mode.
        4. Click on the Advanced option that appears.
        5. Double Click on Internet Settings.
        6. Click on AutoComplete.
        7. Untick Use AutoComplete for usernames and passwords on forms.

        This should do it but as i have not tested it myself i cannot guarantee that it does.

        Please ensure that you test this using a test bed prior to rolling it out into the wild as it may have adverse effects in IE that i do not know about.

        Again ensure this is tested prior to rollout.