Warn user if they try to logoff

windows-server-2008-r2 group-policy logoff-scripts

I want a certain local user to not log off. ever. It's much like this silly question, however I don't necessarily care if the buttons are there, I want to pop up a messagebox that says "Please do not log off the console" with an "OK" button that then cancels the log off attempt. Can this be done in a logoff script?

there are group policies to disable the logoff button on the startmenu and on the CTRL-ALT-DEL dialog. However what I'd like is more like http://msdn.microsoft.com/en-us/library/ms811998.aspx, which appears to not be in server 2008 R2? Or am I missing it?

I even tried to disable the logoff button on start, but it doesn't work, as pointed out by Matt on this similar question

Is it possible to create a logoff script that displays a dialog warning the user to not logoff and then cancels the logoff?

I understand this is a daft need - unfortunately it is not in my power to change or push back. I've exhausted those options. Feel free to get a ton of upvotes on a comment explaining that this is really a dumb plan that is obviously mitigating a symptom of many many systemic issues rather than solving anything. I fully understand that this course of action is actually creating problems. I want this done so I can be done with this contract and never ever work with them again.


Solution 1:

When I've had occasion to do this, the way I've effectively disabled log off (and shutdown/restart) is by doing three things.

  1. Use GPOs or local security policies (or a registry setting) to remove the logoff option available through the Ctrl+Alt+Del menu.

    • To remove the option from the Ctrl+Alt+Del menu, you need to navigate to User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Del Options and enable the Remove Logoff policy.

  2. Use GPOs or local security policies (or a registry setting) to configure the available logoff, restart and shutdown options available through the Start Menu.

    • To change the default "Power Button" behavior, navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Change Start Menu power button policy.
      • Setting it to Lock is probably what you're looking for.
    • To remove the shut down/restart/sleep/hibernate buttons from the Start Menu, you need to navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate command
    • To remove the logoff option, navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Remove Logoff on the Start Menu policy

  3. Change the permissions on shutdown.exe and logoff.exe (thanks, Ryan!) so that no user account can execute it. (If you don't need to worry about users running shutdown.exe from a commandline, you could skip this.)

    • (I'll usually leave a service account or my backup admin account with permissions so I can change it back if needed, with a minimum amount of effort).
    • By default, it's in C:\Windows\systm32\, and the permissions allow users and administrators to read and execute, but reserves full control for SYSTEM and Trusted Installer.
    • Trusted Installer is also the owner, so to change the permissions, you need to take ownership with an administrative account.

Once you're done with all that, there's no way to log off, restart, shutdown, hibernate or sleep the computer without going through a fair bit of effort... or disconnecting the power cable.

Now my server's start menu looks like the below image (and switching user just allows another user to log in):

enter image description here

And the Ctrl+Alt+Del menu looks like:

enter image description here

Solution 2:

I'd prefered to add this as a comment, but thank to site policies, I must not comment...

Regarding Logoff scripts, I do not know what can be done. But in a C# Windows Forms application, you can register for SystemEvents like SessionSwitch and SessionEnding. The last one even provides a Cancel property in the EventArgs. Such a .Net application could help in your case, but of course the user could close that application first (or kill it from the TaskManager) and then still log off.

By the way: yes, I know that such dumb things sometimes have to be done: there are software companies writing programs which ought to be Windows Services, but running with a GUI in an interactive session...

Related

Where does Ubuntu store partition UUIDs on disk?
Stunnel won't work with SSLv3 from some hosts
How do I change Dovecot virtual user passwords?
nginx responding to unknown host names?
less with "update file" like functionality
Remote connection to MySQL server takes very long
using nginx with SNI
Scalable (> 24 TB) NAS for research department
Exim: Change sender address when sending mails out of local network
How can I configure my DHCP server to distribute IP routes?
Force forwarder DNS requests to TCP mode
Why is NTP syncing to LOCAL rather than remote server?