When you enforce logon hours restrictions by using to Group Policy to navigating to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options and enable Automatically log off users when logon time expires, users whose logon times settings prevent logon at this time are NOT permitted to log on, but users are NOT forced to log off of their computer, by design.

One way to attempt to force users to log off is to use the WinExit screensaver.

In tip 8520 ยป How can I force users who are logged onto my domain to log off their computer at a specified time, I scripted ForceLogoff.bat to force any user who is logged onto your domain to log off their local computer. I received a number of requests to alter the script to give the users time to save their work.

This version of ForceLogoff.bat uses the Messenger service, if it is started, to alert a logged on user, giving them 3 minutes to save their work. It launches a generated batch file to send the message, waiting 3 minutes before logging the user off, without delaying the execution of the ForceLogoff.bat script. After launching all the generated batch files, ForceLogoff.bat waits 3 minutes and 10 seconds before deleting them.

The ForceLogoff.bat script uses the NET VIEW command, Psloggedon freeware, and PsShutdown freeware, which must be located in a folder that is in your PATH.

If you schedule ForceLogoff.bat to run in a domain administrator context, users will be logged off at the scheduled time.

The syntax for using ForceLogoff.bat is:

ForceLogoff Exceptions

Where Exceptions is a fully qualified file name that contains computer names, in \\NetBIOSComputerName format, one per line, whose users should NOT be logged off. The file may NOT be empty, but can contain NONE. It does NOT need to contain the computer name that the script is run on.

NOTE: The NetBIOS domain name is extracted from the %USERDOMAIN% environment variable of the user that is running ForceLogoff.bat.

NOTE: A record of each forced log off is displayed on the console, and may be piped to a file.

NOTE: New versions of Windows caches messages, so a user who is logged on, but does not click OK to the message before being logged off, will receive the ForceLogoff message when they log on.

ForceLogoff.bat contains:

@echo off
if \{%1\}==\{\} @echo Syntax ForceLogoff Exceptions&goto :EOF
if not exist %1 @echo Syntax ForceLogoff Exceptions - %1 does NOT exist.&goto :EOF
setlocal ENABLEDELAYEDEXPANSION
set except=%1
set dom=%USERDOMAIN%
set msg=N
for /f "Tokens=*" %%m in ('net start^|Findstr /L /I /C:"Messenger"') do (
 set msg=Y
)
for /f "Tokens=1" %%c in ('net view /domain:%dom%^|findstr /L /C:"\\"^|findstr /L /V /C:"\\%ComputerName%"') do (
 for /f "tokens=*" %%u in ('psloggedon -L %%c^|findstr /L /C:"/"') do (
  set work1=%%u
  call set work2=!!work1:%dom%=!!
  if "!work2!" NEQ "!work1!" for /f "Tokens=*" %%i in ('@echo %%c^|Findstr /L /I /V /G:%except%') do (
   call :logoff %%i
  )
 )
)
@ping -n 191 127.0.0.1>nul
for /f "Tokens=*" %%d in ('dir "%TEMP%\ForceLogoff_*.bat" /b') do (
 del /q "%TEMP%\%%d"
)
endlocal
goto :EOF
:logoff
@echo ForceLoggoff %1 %work1%
if "%msg%" EQU "N" psshutdown -o %1&goto :EOF
set comp=%1
set work=%comp:\=%
set bat="%TEMP%\ForceLogoff_%work%.bat"
@echo @echo on>%bat%
@echo net send %work% ForceLogoff: Log off will begin in 3 minutes. Save your work.>>%bat%
@echo @ping -n 181 127.0.0.1^>nul>>%bat%
@echo psshutdown -o %comp%>>%bat%
@echo @ping -n 3 127.0.0.1^>nul>>%bat%
@echo Exit>>%bat%
start "Logoff %work%" /min %bat%