1

Our Sophos Anti-virus scans each night, but complains about files it can't access. Files that are in use by Firefox or Outlook.

Is there a script we can configure to run each night before the scans, which logs the user out of the machine?

Ideally, this would bring up a prompt beforehand offering the user the chance to remain logged in, should they be working late.

Thanks, Dean.

Dean Rather
  • 1,090
  • 1
  • 13
  • 18
  • 3
    Time for a better virus scanner perhaps? One that doesn't require the user to be logged off in the middle of the night and loose everything that they might have open on their desktop so when they come back the next morning they have to spend 10 minutes re-opening all their programs... – Mark Henderson Sep 22 '09 at 03:19
  • Farseeker; great observation! Sometimes the answer to the question is not directly related to the original question. =) – Wesley Sep 22 '09 at 14:20
  • Solved the problem by changing the reporting options to not complain when a file is in use... – Dean Rather Oct 21 '09 at 22:07

3 Answers3

3

EDIT: The following suggestion in my post only effects SMB connections and will not log off a user's interactive session like I thought it would. See this google cached Experts Exchange thread for a long discussion on it (scroll all the way down to see the thread past the filthy lies that you have to be logged in to see the thread). Thanks to Evan Anderson for setting me straight. It seems that a pstools script or batch file would be the only way to achieve this.

Someone feel like downvoting me to remove the undeserved points?

Maybe I'm missing something, but won't the domain policy "Automatically log off users when logon time expires" be applicable in this scenario? Just create the hours that you want people to be able to log on and then restrict them accordingly to have them all logged off. Be careful when applying this policy though. If I understand correctly, it can only be applied to the domain root and there are some other caveats. You may be better off applying a local group policy via a domain policy and a security template... ? Things are getting complex here. =)

If you have an Experts-Exchange account (you can get one genuinely for free if you look in their help pages hard enough in spite of their filthy lies that you have to pay to become a member; I've blogged about it here) you can read this thread about a similar situation and the solution.

You could also look into "How To Force Users to Quit Programs and Log Off After a Period of Inactivity in Windows XP" as per KB314999.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • You can view the whole discussion here without having to give anything to the sex changers (just scroll to the bottom of the page): http://74.125.153.132/search?q=cache:7uHCPur91DsJ:www.experts-exchange.com/Security/Win_Security/Q_20444094.html+cached:http://www.experts-exchange.com/Security/Win_Security/Q_20444094.html&cd=2&hl=en&ct=clnk&gl=au&client=firefox-a. – Mark Henderson Sep 22 '09 at 03:17
  • (thats a google cache link, btw, if you're wary about clicking a link with an IP address in it) – Mark Henderson Sep 22 '09 at 03:20
  • I am wary of IP address URLs, but -- frighteningly enough -- I thought the IP address looked somewhat familiar... =) – Wesley Sep 22 '09 at 14:18
2

There's no built-in functionality to do what you want, so you're definitely going to have to have something coded.

I can't tell you about Vista or Windows 7, because I don't have one handy right now to test on, but a "shutdown -l" (as phuzion mentioned) on Windows XP run as SYSTEM (invoked by the "Task Scheduler" service) will cause the session for the interactive user to logoff. Conceivably this might be different on Vista and Windows 7.

You could probably rig something ugly with wprompt, a .BAT file, and "Scheduled Tasks", but you'll have to schedule it with the "AT" command to get it to interact with the Desktop, and you'll have an ugly command-promt window popping up. (Okay, okay-- I can think of a way to do it with VBScript and that wprompt utility that wouldn't cause an ugly command prompt window to pop up. It's still ugly, though.)

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Does the "Automatically log off users when logon time expires" GPO option not apply to this situation like I thought it did? – Wesley Sep 22 '09 at 14:53
  • 1
    That setting has nothing to do with interactive logons. It affects the "Server" service and prevents clients from "mapping drives" or otherwise accessing shared resources on file server computers when the logon hours expire. I'm having a hard time finding a newer reference from Microsoft, but here's a reference that is old but still applies to newer versions of Windows: http://msdn.microsoft.com/en-us/library/ms814138.aspx – Evan Anderson Sep 22 '09 at 15:18
  • Note you can use "shutdown -l -m \\computername" to do so remotely. You'll need to run this as a domain admin. – tsilb Sep 22 '09 at 17:36
  • Thanks for the clarification, Evan! I edited my post accordingly. – Wesley Sep 22 '09 at 18:17
1

You should be able to create a batch file that will log the user out, and execute it remotely with psexec.

The command you would want to include in the batch file would be:

shutdown -l

I'd suggest against doing this though, as many people will be frustrated with you in the morning when they find out that their unsaved documents are completely gone.

phuzion
  • 2,192
  • 1
  • 18
  • 23
  • no need to use PSEXEC. We have the server run a single batch file that actually does a restart passing the computer name to the shutdown command shutdown -r /m \\computer1... – Knox Sep 22 '09 at 11:26