Execute batch file at specific time using GP

  • Thread starter Thread starter David Reed
  • Start date Start date
D

David Reed

Hello All,

I want to create a batch file using LOGOFF.EXE (which I have to FIND first)
to automatically log users off the network at, say, 10pm. I want to create
a Group Policy to execute that batch file, at, say, 10pm.

Am I on the right track? Has anyone here done that, and with what degree of
success? How do I find and get LOGOFF.EXE, and does anyone happen to have a
batch file already for that?

Thanks,
 
why dont you just set the users accounts in AD to deny logon at the certain
hours you want to run a script. then you could set the group policy
"Computer config/Windows settings/local policies/security options" and find
this setting: "Network security: Force logoff when logon hours expire" this
will make your users logoff the pc's when their time expires. then all you
need to do is setup a Computer or User logoff script in the GPO to do what
you want when the user is forced to logoff. Hope it helps!

Philip Nunn
 
Hi Philip,

Not a bad idea, but my users are researchers, and so they have "desktop" or
"Admin" computers that they use for email, report-writing and such, and they
also have "lab" systems that they are logged in to run their experiments on.
So I have the computers IN AD in two seperate OU's to keep the Admin
systems, which CAN (and should) be logged off at night, and the Lab systems,
which have to stay logged in.

Do you know of a way to do that, but apply it to an OU of computers, rather
than an OU of users?

Thanks,

David

(PS...nice to see I'm not the ONLY one working today).
 
Now you are confusing me! So your users have 2 systems each, but one AD
user account? Now im just trying to figure out your setup. This could be a
combonation of using the GPMC to set permissions on the GPO and possibly
using "Loopback processing" Can you explain to me exactly your setup, which
OU's have what computers and what OU's hold the users accounts, and what
pc's or users you want to logoff at 10

Philip Nunn
 
Hi Philip,

Sure thing.

My company is a R&D company. Our researchers have offices, and in their
offices, they have office desktops, where they use MS Word, Outlook, etc.

All computers that fit this category are in an OU called "ADMINSYSTEMS"

They also have two, three, four, five, six, eight, ten, lab computers that
have various National Instrucments data gathering cards, as well as our
companies proprietary hardware installed and connected to them, running
analysis. Because logging off those computers would shut down the data
collection software, they have to be left logged in. So they are in a
seperate OU called "LABSYSTEMS".

What I want to do is be able to have all the computers in the ADMINSYSTEMS
OU logoff at a specific time (10pm is good), but have whatever I do to cause
those computers in the ADMINSYSTEMS OU to log off NOT affect any computers
that are NOT in the ADMINSYSTEMS OU (such as the LABSYSTEMS OU, SERVERS OU,
DOMAIN CONTROLLERS OU, etc).

Does this help?

Also, if you have any suggestions for improving on this set-up, I'm all
ears!

Regards,

David
 
Ok, I think this is what you need to do. Same as i said before but I will
elamborate on it a little for you. Since you didnt mention that the r&d
users use different user accounts to logon to the "Labsystems" OU computers
I will assume that they use a single user account to logon to all pc's. So
what you need to do is create/edit a GPO on the "ADMINSYSTEMS" OU and set
the following gp setting "Computer config/Windows settings/local
policies/security options" and find this setting "Network security: Force
logoff when logon hours expire" this should force the users to logoff
according to the logon hours setup on their AD account. Keep in mind that
since this is a computer config it will only affect the computers in the OU
its applied to. You also need to set the logon hours for the user accounts
in AD users & computers. If the users are logged into the lab pc's BEFORE
their logon hours expire they will continue to be logged on because the gp
setting mentioned above is not set on the "Labsystems" OU. The logon hours
set in ADUC only affects users trying to logon to the computers at that
given time range. If they are logged on before the time comes, the system
will remain logged on. It only refuse new logon's during the time period.
You may want to test this on a dummy account. Create a test user and set
the account to "Deny logon hours" whenever you want to test it (for an
example we will say 'deny from 3-4pm') make sure the user is logged on
before this time and see what happens when 3 o'clock comes around. If the
policy is NOT set the user should remain logged on. I hope this works for
you! Let me know!

Philip Nunn
 
You can create a startup script using the at command that would apply to
computers. The logoff.exe or shutdown.exe [shutdown -l will also work] may
already be in the system32 folder. I tried it on a test network and found I
had to use the /interactive switch with the at command. For instance I
tested --- " at 20:00 /interactive shutdown -l ". --- Steve
 
Back
Top