10

I want a certain local user to not log off. ever. It's much like this silly question, however I don't necessarily care if the buttons are there, I want to pop up a messagebox that says "Please do not log off the console" with an "OK" button that then cancels the log off attempt. Can this be done in a logoff script?

there are group policies to disable the logoff button on the startmenu and on the CTRL-ALT-DEL dialog. However what I'd like is more like http://msdn.microsoft.com/en-us/library/ms811998.aspx, which appears to not be in server 2008 R2? Or am I missing it?

I even tried to disable the logoff button on start, but it doesn't work, as pointed out by Matt on this similar question

Is it possible to create a logoff script that displays a dialog warning the user to not logoff and then cancels the logoff?

I understand this is a daft need - unfortunately it is not in my power to change or push back. I've exhausted those options. Feel free to get a ton of upvotes on a comment explaining that this is really a dumb plan that is obviously mitigating a symptom of many many systemic issues rather than solving anything. I fully understand that this course of action is actually creating problems. I want this done so I can be done with this contract and never ever work with them again.

dfstandish
  • 111
  • 5
  • 18
    This is really a dumb plan that is obviously mitigating a symptom of many many systemic issues rather than solving anything. This course of action is actually creating problems. Be done with this contract and never ever work with them again. – Michael Hampton Feb 27 '14 at 17:46
  • 1
    Aside from being a silly thing to try and do, it's also something that other people wouldn't benefit from knowing how to do. It's only going to create problems, so voting to close. – HostBits Feb 27 '14 at 18:04
  • 3
    While I agree it is a silly plan, and I don't know the motive, I can say that I could benefit from a similar solution. We all have to deal with stupid legacy software such as a "deamon" that has a @#$@#$@ window made in VB6 and does not run as a service because it has all sort of pop-up message and you end up with a AuthoHotKey script clicking on OK whenever they come up... so preventing logging off would be useful... – ETL Feb 27 '14 at 19:20
  • 1
    @MichaelHampton , You sir, are absolutely correct. I should have added, "I want to do this so I can get paid, and then never ever work for them again." as ETL pointed out, there is all kinds of legacy badness out there... and as Cheekaleak pointed out, any answer to this question is going to contribute to badness in the world. Having said that, I still want to hack this and be done. – dfstandish Feb 27 '14 at 19:56
  • Where is the root need? If it was like me and you needed a process/app to run as that user with an interactive desktop session, then you could look at getting Firedaemon and setup a service that runs as that user for that app with Session 0. – TheCleaner Feb 27 '14 at 20:36

2 Answers2

14

When I've had occasion to do this, the way I've effectively disabled log off (and shutdown/restart) is by doing three things.

  1. Use GPOs or local security policies (or a registry setting) to remove the logoff option available through the Ctrl+Alt+Del menu.

    • To remove the option from the Ctrl+Alt+Del menu, you need to navigate to User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Del Options and enable the Remove Logoff policy.

  2. Use GPOs or local security policies (or a registry setting) to configure the available logoff, restart and shutdown options available through the Start Menu.

    • To change the default "Power Button" behavior, navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Change Start Menu power button policy.
      • Setting it to Lock is probably what you're looking for.
    • To remove the shut down/restart/sleep/hibernate buttons from the Start Menu, you need to navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate command
    • To remove the logoff option, navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Remove Logoff on the Start Menu policy

  3. Change the permissions on shutdown.exe and logoff.exe (thanks, Ryan!) so that no user account can execute it. (If you don't need to worry about users running shutdown.exe from a commandline, you could skip this.)

    • (I'll usually leave a service account or my backup admin account with permissions so I can change it back if needed, with a minimum amount of effort).
    • By default, it's in C:\Windows\systm32\, and the permissions allow users and administrators to read and execute, but reserves full control for SYSTEM and Trusted Installer.
    • Trusted Installer is also the owner, so to change the permissions, you need to take ownership with an administrative account.

Once you're done with all that, there's no way to log off, restart, shutdown, hibernate or sleep the computer without going through a fair bit of effort... or disconnecting the power cable.

Now my server's start menu looks like the below image (and switching user just allows another user to log in):

enter image description here

And the Ctrl+Alt+Del menu looks like:

enter image description here

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
4

I'd prefered to add this as a comment, but thank to site policies, I must not comment...

Regarding Logoff scripts, I do not know what can be done. But in a C# Windows Forms application, you can register for SystemEvents like SessionSwitch and SessionEnding. The last one even provides a Cancel property in the EventArgs. Such a .Net application could help in your case, but of course the user could close that application first (or kill it from the TaskManager) and then still log off.

By the way: yes, I know that such dumb things sometimes have to be done: there are software companies writing programs which ought to be Windows Services, but running with a GUI in an interactive session...

  • 2
    A short program that displays a dialog and then cancels shutdown would function, but it also could be killed from Task Manager, which might defeat the purpose. – Michael Hampton Feb 28 '14 at 15:45