I want a certain local user to not log off. ever.
It's much like this silly question, however I don't necessarily care if the buttons are there, I want to pop up a messagebox that says "Please do not log off the console" with an "OK" button that then cancels the log off attempt.
Can this be done in a logoff script?
there are group policies to disable the logoff button on the startmenu and on the CTRL-ALT-DEL dialog. However what I'd like is more like
http://msdn.microsoft.com/en-us/library/ms811998.aspx, which appears to not be in server 2008 R2? Or am I missing it?
I even tried to disable the logoff button on start, but it doesn't work, as pointed out by Matt on this similar question
Is it possible to create a logoff script that displays a dialog warning the user to not logoff and then cancels the logoff?
I understand this is a daft need – unfortunately it is not in my power to change or push back. I've exhausted those options. Feel free to get a ton of upvotes on a comment explaining that this is really a dumb plan that is obviously mitigating a symptom of many many systemic issues rather than solving anything. I fully understand that this course of action is actually creating problems. I want this done so I can be done with this contract and never ever work with them again.
Best Answer
When I've had occasion to do this, the way I've effectively disabled log off (and shutdown/restart) is by doing three things.
Use GPOs or local security policies (or a registry setting) to remove the logoff option available through the Ctrl+Alt+Del menu.
User Configuration
->Administrative Templates
->System
->Ctrl+Alt+Del Options
and enable theRemove Logoff
policy.Use GPOs or local security policies (or a registry setting) to configure the available logoff, restart and shutdown options available through the Start Menu.
User Configuration
->Administrative Templates
->Start Menu and Taskbar
and enable theChange Start Menu power button
policy.Lock
is probably what you're looking for.User Configuration
->Administrative Templates
->Start Menu and Taskbar
and enable theRemove and prevent access to the Shut Down, Restart, Sleep and Hibernate command
User Configuration
->Administrative Templates
->Start Menu and Taskbar
and enable theRemove Logoff on the Start Menu
policyChange the permissions on
shutdown.exe
andlogoff.exe
(thanks, Ryan!) so that no user account can execute it. (If you don't need to worry about users runningshutdown.exe
from a commandline, you could skip this.)C:\Windows\systm32\
, and the permissions allow users and administrators to read and execute, but reserves full control forSYSTEM
andTrusted Installer
.Trusted Installer
is also the owner, so to change the permissions, you need to take ownership with an administrative account.Once you're done with all that, there's no way to log off, restart, shutdown, hibernate or sleep the computer without going through a fair bit of effort... or disconnecting the power cable.
Now my server's start menu looks like the below image (and switching user just allows another user to log in):
And the Ctrl+Alt+Del menu looks like: