When you enforce logon hours restrictions by using to Group Policy to navigating to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options and enable Automatically log off users when logon time expires, users whose logon times settings prevent logon at this time are NOT permitted to log on, but users are NOT forced to log off of their computer, by design.

One way to attempt to force users to log off is to use the WinExit screensaver.

Using the NET VIEW command, Psloggedon freeware, and PsShutdown freeware, I scripted ForceLogoff.bat to force any user who is logged onto your domain to log off their local computer.

If you schedule ForceLogoff.bat to run in a domain administrator context, users will be logged off at the scheduled time.

The syntax for using ForceLogoff.bat is:

ForceLogoff Exceptions

Where Exceptions is a fully qualified file name that contains computer names, in \\NetBIOSComputerName format, one per line, whose users should NOT be logged off. The file may NOT be empty, but can contain NONE. It does NOT need to contain the computer name that the script is run on.

NOTE: The NetBIOS domain name is extracted from the %USERDOMAIN% environment variable of the user that is running ForceLogoff.bat.

NOTE: See Another script to force users who are logged onto my domain to log off their computer at a specified time.

ForceLogoff.bat contains:

@echo off
if \{%1\}==\{\} @echo Syntax ForceLogoff Exceptions&goto :EOF
if not exist %1 @echo Syntax ForceLogoff Exceptions - %1 does NOT exist.&goto :EOF
setlocal ENABLEDELAYEDEXPANSION
set except=%1
set dom=%USERDOMAIN%
for /f "Tokens=1" %%c in ('net view /domain:%dom%^|findstr /L /C:"\\"^|findstr /L /V /C:"\\%ComputerName%"') do (
 for /f "tokens=*" %%u in ('psloggedon -L %%c^|findstr /L /C:"/"') do (
  set work1=%%u
  call set work2=!!work1:%dom%=!!
  if "!work2!" NEQ "!work1!" for /f "Tokens=*" %%i in ('@echo %%c^|Findstr /L /I /V /G:%except%') do (
   psshutdown -o %%i
  )
 )
)
endlocal