Windows Server 2008 R2 – Warn User If They Try to Logoff

group-policylogoff-scriptswindows-server-2008-r2

I want a certain local user to not log off. ever.
It's much like this silly question, however I don't necessarily care if the buttons are there, I want to pop up a messagebox that says "Please do not log off the console" with an "OK" button that then cancels the log off attempt.
Can this be done in a logoff script?

there are group policies to disable the logoff button on the startmenu and on the CTRL-ALT-DEL dialog. However what I'd like is more like
http://msdn.microsoft.com/en-us/library/ms811998.aspx, which appears to not be in server 2008 R2? Or am I missing it?

I even tried to disable the logoff button on start, but it doesn't work, as pointed out by Matt on this similar question

Is it possible to create a logoff script that displays a dialog warning the user to not logoff and then cancels the logoff?

I understand this is a daft need – unfortunately it is not in my power to change or push back. I've exhausted those options. Feel free to get a ton of upvotes on a comment explaining that this is really a dumb plan that is obviously mitigating a symptom of many many systemic issues rather than solving anything. I fully understand that this course of action is actually creating problems. I want this done so I can be done with this contract and never ever work with them again.

Best Answer

When I've had occasion to do this, the way I've effectively disabled log off (and shutdown/restart) is by doing three things.

  1. Use GPOs or local security policies (or a registry setting) to remove the logoff option available through the Ctrl+Alt+Del menu.

    • To remove the option from the Ctrl+Alt+Del menu, you need to navigate to User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Del Options and enable the Remove Logoff policy.

  2. Use GPOs or local security policies (or a registry setting) to configure the available logoff, restart and shutdown options available through the Start Menu.

    • To change the default "Power Button" behavior, navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Change Start Menu power button policy.
      • Setting it to Lock is probably what you're looking for.
    • To remove the shut down/restart/sleep/hibernate buttons from the Start Menu, you need to navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate command
    • To remove the logoff option, navigate to User Configuration -> Administrative Templates -> Start Menu and Taskbar and enable the Remove Logoff on the Start Menu policy

  3. Change the permissions on shutdown.exe and logoff.exe (thanks, Ryan!) so that no user account can execute it. (If you don't need to worry about users running shutdown.exe from a commandline, you could skip this.)

    • (I'll usually leave a service account or my backup admin account with permissions so I can change it back if needed, with a minimum amount of effort).
    • By default, it's in C:\Windows\systm32\, and the permissions allow users and administrators to read and execute, but reserves full control for SYSTEM and Trusted Installer.
    • Trusted Installer is also the owner, so to change the permissions, you need to take ownership with an administrative account.

Once you're done with all that, there's no way to log off, restart, shutdown, hibernate or sleep the computer without going through a fair bit of effort... or disconnecting the power cable.

Now my server's start menu looks like the below image (and switching user just allows another user to log in):

enter image description here

And the Ctrl+Alt+Del menu looks like:

enter image description here

Related Topic