User log off after period of inactivity (with message prompt)

Issue

What do you do in situations such as an open access computer room where you have a high throughput of users to ensure maximum usage of the space?

Data Protection and Security issues aside this is the situation I faced in a higher education environment where large numbers of machines were being left idle whilst users worked at the desk (no longer requiring use of the client).

There were 2 use cases when this would occur:

1) A user has walked away from the machine and it is no longer required.

2) A user is working at the desk but the session is idle. An example would be a student researching a topic while they have their dissertation open on the screen.

Use case 1 is not a problem, the tooling is already built into windows. There are various ways to set time outs for user sessions but a simple one i have highlighted below.

ScreenSaverLogOff_Screensaver_15012015

User case 2 however is a little more tricky, using traditional methods the user is not given the opportunity to stop a log off should they forget to interact with the system. Nor is it immediately obvious how long they have before a log off is initiated.

Resolution

There was a small utility called WinExit.scr which did exactly what we are trying to achieve, the application can be set as the machine screen saver avoiding scripting a solution and using built-in Windows tooling.

When the screensaver is triggered the application is executed prompting the user with a countdown timer and a cancel button allowing them to abort before a log off process is initiated.

However the utility will not work out of the box as it is based on a Windows 2000/XP based platform. This is because on Windows XP the users had the ability to write to the following key:

HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini

But on Windows 7 and later the users do not, so we need to build in a mechanism to change the permissions on this key.

Implementation

  1. Download WinExit.scr and associated files from here
  2. Extract the files and copy to the following locations:
    Configuration File:
      C:\Windows\control.ini
    Main File(s):
    C:\Windows\System32\winexit.scr
    C:\Windows\System32\winexit.hlp
  3. Run the following PowerShell script to set the correct permissions on the end point using your standard delivery method.
    # Script to Set permissions on Registry key to allow WinExit.scr to function
    # Script Name: SetScreenSaverACLv0.1.ps1
    # Script Version: 0.1
    # Created by: Adil Dean 26/09/13
    # Updated by:
    # ============================================================================
    # Requirements:
    # Windows 7 x64
    # Script is not signed (requires necessary permissions)
    # Usage Instructions:
    # <path to script>\SetScreenSaverACLv0.1.ps1
    # ============================================================================
    # Initialise Variables
    $objWinExitAcl = $null
    # Set 32 bit Key
    $objWinExitAcl = Get-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini”

    $objAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule(“Authenticated Users”,”SetValue, CreateSubKey”,”ContainerInherit, ObjectInherit”,”None”,”Allow”)

    $objWinExitAcl.AddAccessRule($objAccessRule)

    Set-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini” $objWinExitAcl

    # Set 64 bit Key
    $objWinExitAcl = Get-Acl “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini”

    $objAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule(“Authenticated Users”,”SetValue, CreateSubKey”,”ContainerInherit, ObjectInherit”,”None”,”Allow”)

    $objWinExitAcl.AddAccessRule($objAccessRule)

    Set-Acl “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini” $objWinExitAcl

However we find a new issue, a screensaver can be triggered at the logon screen prompting the user to log off even though they aren’t actually logged in. Not a great user experience.

The solution comes courtesy of VMWare

  1. Click Start > Run, type regedit, click OK.
  2. Locate the following registry key:
    HKEY_USERS\.DEFAULT\Control Panel\Desktop
  3. Double-click the ScreenSaveActive string value item in the Details pane.
  4. In the Value field, replace 1 with 0.
  5. Click OK.

Source: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=9275881

ScreenSaverLogOff_23012015

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s