LOGOFF, version 0.1 pre-beta, October 1997
A tool for Windows NT to log off users from their workstations remotely or unattended.
Copyright (C) 1997 by
Alexander Frink
Hermann Schauss Str. 8
65232 Taunusstein
Germany
Alexander.Frink@Uni-Mainz.DE
This program is free software under the GNU General Public License. See the file LICENSE for details. The latest version of LOGOFF can be found at http://wwwthep.physik.uni-mainz.de/~frink/nt.html.
Contents
- Introduction
- Legal stuff
- Usage
Windows NT offers no possibility for adminstrators to force users to log off over the network, e.g. to prohibit use after a certain time. One can disconnect users from a server, but they still can use the local machine where they are logged on to (even after the logon hours have expired, these are only checked during the logon process).
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
For short, the main aspects of the GNU General Public License are in my personal interpretation which may not be 100% accurate (I am a physicist, not a lawyer):
-
Everybody (private or commercial users) can use this program freely. However, there is now warranty of any kind, since this is free software. Use it at your own risk!
-
Everybody may copy and distribute it, as long as you include the copyright notice, a disclaimer of warranty, the GNU License, and the source code (or make it freely available).
-
You may modify the program or use parts of it in own programs, as long as you distribute it under this license as well (included, but not limited to making the source code available). Further include appropriate copyright notices and take responsibility for ALL bugs in this modified version.
This program consists of two parts: INITLO, a program which runs with SYSTEM privilege and initiates the logoff proces, and LOGOFF, which runs under the user's security context and does the actual logoff, because only the user himself can call the ExitWindowsEx() API with the EWX_LOGOFF parameter (at least I have not found any other way).
Copy INITLO.EXE and LOGOFF.EXE somewhere to the machine where you want to log off the user (you can do this over the network with NET USE \\machine\c$ as Administrator). The designated method to start INITLO is with the AT command (or more comfortably with the SOON command from the NT Resource Kit, because you do not have to specify an absolute time). You can use AT to start processes on other machines on your network. The Schedule service must run on the target machine. If it does not, you can start it remotely with NETSVC from the NT Resource Kit. Therefore you should always be able to use INITLO/LOGOFF even on unprepared workstations completely over the network.
INITLO must run under an account which has SE_DEBUG_NAME, SE_ASSIGNPRIMARYTOKEN_NAME, SE_CREATE_TOKEN_NAME and SE_SECURITY_NAME privileges. By default, only the SYSTEM account (not even the Administrator) has theses privilege. Take this into account if you have configured the Schedule service to run under a different user.
Command line options
usage is
initlo [-g grace] [-p program] [-t text]
where
-
-g grace is the time in seconds between a warning message during which the user may log off on his own and the forced logoff by the system. Default is 60 seconds, -g 0 logs off the user immediately without a warning message.
-
-p program is the program which is executed in the user's security context after the grace time, unless the user has left the system. INITLO looks for the program in the current directory, which is usually %systemroot%\system32 if you invoked INITLO with the AT command, and the directory where INITLO was found, if you do not give the full path with the program. The default program is LOGOFF.EXE (without a path, so it should be either in %systemroot%\system32 or in INITLO's directory.
-
-t text is the text in the warning message box. The default text is 'Please log off within %i seconds', where %i will be filled with the grace time given with the -g switch above. See example below for correct use of quotation marks.
Ordering of command line switches is arbitrary.
Examples
-
AT 16:00 cmd /c "c:\util\initlo > c:\util\initlo.log"
logs off the user who is logged on at 4pm on the local machine
-
AT 16:00 cmd /c "c:\util\initlo -t \"System maintainance. Please log off within %i seconds!\" -g 300 -p c:\logoff.exe > c:\util\initlo.log"
similar to above, but give the user 5 minutes to log off, use a different warning message, and look for the LOGOFF program in c:\
-
SOON \\workstation7 5 "cmd /c ""c:\util\initlo -g 300 -t """System maintainance. Please log off within %i seconds, or you will be logged off automatically!""" > c:\util\initlo.log"""
log off the user who is currently logged on to the PC called workstation7
Please note (these are in general the most common problems when using the AT command):
-
give the full path to INITLO
-
SOON needs more quotation than AT
-
programs started with AT/SOON have no access to network drives
-
you should use output redirection to see error and success messages (the example that comes with NT 4.0's online help uses wrong quotation and does not work)
-
you must be a member of the Administrators group to use AT
Copyright (C) 1997 by
Alexander Frink