NT Gatekeeper: Using the WinExit Screen Saver to Force User Logoffs

In my company's public areas (e.g., restaurant, meeting rooms), I've created a set of Windows NT 4.0 kiosk machines. Employees use their corporate NT account to log on and access their mailboxes or surf the Internet. Many kiosk users forget to log off when they're finished. How can I force users to log off?

The easiest way to resolve your problem is to use the WinExit screen saver on your kiosk machines. This screen saver comes with the Microsoft Windows NT Server 4.0 Resource Kit. Like any other screen saver, the WinExit screen saver becomes active after a preconfigured interval. Unlike all other screen savers, WinExit doesn't just lock the screen (with or without password protection) but effectively ends the user logon session. When WinExit launches, a countdown dialog box appears; when the countdown ends, WinExit logs the user off.

Before you can install the WinExit screen saver, you must copy the winexit.scr file to your kiosk machines. Winexit.scr is in the resource kit folder of any machine on which you've installed the resource kit. In Windows, installing a screen saver is as simple as right-clicking the *.scr file and clicking Install on the pop-up menu.

As with other screen savers, you configure WinExit through the Screen Saver tab in the Control Panel Display applet. I recommend that you set up the kiosk so that only the local or domain administrator can configure the screen saver. To block kiosk users' screen-saver configuration capabilities, use the NT 4.0 policy editor (poledit.exe) to hide the Screen Saver tab in the Display properties, as Figure 2 shows. Select the Hide Screen Saver tab check box, and link this option to a group that contains all your kiosk users. In the sample screen in Figure 2, I created a special global group called Kiosk Users.

Figure 3 shows the settings that you can configure from the WinExit properties on the Screen Saver tab. You can customize the countdown interval and the message that appears in the countdown dialog box. If you select the Force application termination check box, Windows closes all running applications no matter what their current state.

For the WinExit screen saver to work for any account logging on to your kiosk machines, you also have to change the registry permissions on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion registry subkey. To set the permissions, I reused the Kiosk Users group I set up earlier. I gave Kiosk Users the permissions on this registry subkey, as Figure 4 shows. When you apply these permissions, make sure that you select the Replace Permission on Existing Subkeys check box in the ACL editor.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.