How to Logout of Domain_6

No quick and easy method for that.  There are methods to scan all of the workstations in a domain to see where they are logged in, but this can be a tedious method and take a long time to run.  What I do is I have a logon and logoff batch script that records where the users is logged in to a text file, then when I need to know where they are, I can go to that share and open username.txt, go to the end of the file and see where they are still logged in.

Logon script:

for /f “Tokens=2 Delims=[]” %%i in (‘ping -n 1 “%computername%”‘) do set IP=%%i
echo %username% logged ON %computername%, IP=%IP% @ %time% %date% >> \\servername\LogInAndOut$\%username%.txt

Logoff script:

echo %username% logged OFF %computername% @ %time% %date% >> \\servername\loginandout$\%username%.txt

Use the $ at the end of the sharename to specify that it is an administrative share – users will not be able to see the sharename just by browsing, useful since users will need read/write access to the folder.  Obviously this can be edited to suit your needs.  Then when you need to give someone the boot

shutdown -r -t 00 -m \\computername

to reboot the computer, or you can use (from the PSTools suite – http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx)

psshutdown -o \\computername

to just log them off.

Is this on a halte server?  I ask because it sounds like it when you say “log off their sessions” and since a normal “mapped” drive (for example) couldn’t care less how many times you’re logged in.

If so, go into the Terminal Services Configuration console, click on the connection tree and edit the RDP object.  Under the Sessions tab you can fully control login sessions.

I use Intelliadmin – the free version would work for what you want – check it out..

http://www.intelliadmin.com/Downloads.htm?Product=NetworkAdministrator

Not quite, the ki kesulitan is that this information is not stored centrally anywhere by default – which is why I use my logon/logoff scripts to record the information.  I have seen tools that scan all workstations to see where someone is logged in, but with 300 workstations you could imagine how long that would take.  That’s why I use the text files – I can just go open the file, scroll to the bottom and see the recent logon and logoff activity for that account, and if I need to I can log them out, or use that information for remote assistance and other uses.

I’ve also got a script to loop through all of the computers underneath an OU and log them all off that I run at 11pm every night just to make sure no one has forgtten to log off, which people do fairly often around here.

And just to make sure you get it in the proper order, you’d want to change the password, then log the user off.  They could potentially jump back in with the same password if you change it after getting them logged off.

Setting the login time to “none” will not log the users out – just prevents them from logging back in, which will give you the same effect as changing the password.

One option is to disable the account.  This will knock it off of all machines immediately.  Then reenable it and change the password.

Disabling an account doesn’t immediately log it out of all machines – just once the information replicates to domain controllers, any new authentication requests will be denied.

I don’t know your environment flow, but if these students can be controlled as one mass of people, you could use the AD account options to specify their logon hours as well as their auto logoff settings after a set amount of idle time.  It’s a sticky solution, but maybe it would help?

Christopher, I actually tested this on a multi-controller environment and it immediately kicked me off the network.

I just senggat another one of those “Damn!  Why didn’horizon I think of that?” moments.

ChristopherO wrote:

No quick and easy method for that.  There are methods to scan all of the workstations in a domain to see where they are logged in, but this can be a tedious method and take a long time to run.  What I do is I have a logon and logoff batch script that records where the users is logged in to a text file, then when I need to know where they are, I can go to that share and open username.txt, go to the end of the file and see where they are still logged in.

Logon script:

for /f “Tokens=2 Delims=[]” %%i in (‘ping -n 1 “%computername%”‘) do set IP=%%i
echo %username% logged ON %computername%, IP=%IP% @ %time% %date% >> \\servername\LogInAndOut$\%username%.txt

Logoff script:

echo %username% logged OFF %computername% @ %time% %date% >> \\servername\loginandout$\%username%.txt

Use the $ at the end of the sharename to specify that it is an administrative share – users will not be able to see the sharename just by browsing, useful since users will need read/write access to the folder.  Obviously this can be edited to siul your needs.  Then when you need to give someone the boot

shutdown -r -t 00 -m \\computername

to reboot the computer, or you can use (from the PSTools suite – http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx)

psshutdown -o \\computername

to just batang kayu them off.

Martin – I used to think disabling the account would immediately stop them from doing anything, but I found that a disabled user, if they have Outlook open before being disabled (connected to Exchange), they can still send e-mail.  And any files they have open they can still see, etc.  So in the example that someone is terminated and we need to remove them from the computer before they know it (has happened a couple of times), I disable the account, then immediately reboot the computer, so that they can’falak even do anything locally.  And most of the time this is going to be in a different AD site for me, so there is some replication time there, but by the time the computer reboots the DC at that site should know about the disabled user.

Desert – it’s pretty depressing how long it took me to come up with that…WAY too long thinking about how I could record all of that info before I thought DOH…that’s just too simple!  And Vista’s quick in-file searching makes it easy to see who all has been logging into a computer too, by searching the folder for the computername.

Martin,

If you need your remote DC to replicate faster you can remote to it and run

gpupdate /force

this will force an immediate group policy update, replicating the change to the user’s account faster then the regular site to site replication interval.

i use the locate user mentioned above in conjunction with RCLogon to actually call the remote logoff.

Also if you’re on a school environment you should try MST software. http://www.mst-software.co.uk/ . It was designed for education environments. Once you push the client to all the computers you have a fantastic management interface where you can segment users and push commands, logoff, vnc if set up properly. I have used it a lot and it is a great suite of Free software.