I’m working on a script action that will logoff any currently-active user sessions.
Right now, I’m using appendfile to build lines with “logoff (session id of current user)”, and then I copy that to c:\windows\temp\my.bat If I run the batch file manually in the command prompt (as administrator), it works wonderfully.
However, when the BigFix agent runs the file, the logout doesn’t happen.
Does the agent’s status under the System account mean it can’t issue the logoff command to other sessions?
But as you are trying to do this to a logged on user you could just run it as them (override wait, runas=currentuser, wait )
And as you are doing that you just need to do a “wait logoff” and add anything optional to force the logoff and not build a script. You should protect the action though with an “exists current user” relevance of course.
Additionally its worth noting that “current user” only returns the person on the console of the endpoint. “logged on users” also will give you remote people or those not actually on the “console”
Oooh, interesting. So I’d use “exists current user”/“wait logoff” for the console users, and “logoff (session id of logged in user)” for remote users (as on a terminal server).
This works as the “current user” (the one on the console) will be the one running the logoff command. The other users (remotes) you can’t force off with the LOCAL SYSTEM account due to the OS restriction.
I’m struggling with this problem too, but i don’t quite understand it.
Let say I have user X that is logged on on the device.
I’m user Y managing the console.
If I use
override wait
runas=currentuser
wait logoff
Will it run with user X or does user Y needs to be logged on to do this?
It turns out this is a bit more complex than it appears
runas=currentuser
Will run as the current user permissions wise, but in a separate console.
We call CreateProcessAsUser ( https://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx ) to create the process using the flag CREATE_NEW_CONSOLE so it does not inherit the same console as the user. So when you instruct this console to log off, it happily does. It just doesn’t log off the user on the other console.
So that suggests the only way to actually do this would be:
override wait
runas=currentuser
wait logoff {session id of current user}
// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}
// log off the current user
waithidden logoff {session id of current user}
or for a command that requires running through dos:
// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}
// log off the current user
waithidden cmd /c logoff {session id of current user}
Having completely forgotten this thread, or that I’d tried it before, today I set about trying to do the same thing. After trying a few things I searched the forum and found this thread.
For what it’s worth, this works perfectly for logging off all logged on users:
action uses wow64 redirection {not x64 of operating system}
delete _appendfile
delete c:\windows\temp\userslogout.bat
appendfile { concatenation "%0d%0a" of ("logoff " & it) of (session ids of logged on users as string) }
copy __appendfile c:\windows\temp\userslogout.bat
waithidden cmd.exe /C c:\windows\temp\userslogout.bat
delete c:\windows\temp\userslogout.bat