How to Log off all Terminal Server Session Users from a Command Prompt

This article provides some information about how to log off all Terminal Server Session Users from a Command Prompt.

Original product version: В Windows Server 2012 R2
Original KB number: В 259436

Summary

Under some conditions, an administrator may want to force a logoff of all users currently logged on to a Windows NT 4.0 Server, Terminal Server Edition-based computer. You can do so by creating a batch file that calls two Terminal Server specific commands, QUERY, and LOGOFF.

Performing the following procedure logs off all users currently logged onto the Terminal Server. This may result in a loss of unsaved data. Because of this, extreme caution is advised.

More information

To create a batch file that calls these two Terminal Server specific commands, place the following information into a batch (.bat) file:

This batch file may be run at any time the Administrator desires to force the logoff of all users that are not logged on to the Terminal Server console.

Query is a multi-purpose command found within the Terminal Server environment. In this case, Query Session creates a list of all sessions running on the Terminal Server, complete with Session ID numbers. Within the batch file, this output is redirected to a text file. The FOR statement then parses each line of the text file, skipping the first line, and looking for the Session ID number found in the third column. It then places this variable into Logoff, resulting in that session being logged off.

It is not uncommon to receive an error message when you run this batch file. If a user is logged on to the Terminal Server console, the following error message is generated:

Could not logoff session ID 0 from session Console, Error code 5
Error [5]: Access is denied.

It is due to a limitation of the Logoff command. It cannot force the logoff of the console session. A work-around to this issue would be to modify the batch file to read:

How to logoff all users on windows from command line as a domain administrator

I’m running automation testing on Windows (windows 10 and 2012), and one of the requirements of the automation is that ALL users need to be logged off. I have a chance to do this after deployment. I kind of see this page give an answer, but after I tried query session , I see it gives even services and rdp-tcp sessions. but I don’t want to stop any service.

4 Answers 4

This solution is based on the previous answer but this one will close all sessions (even disconnected sessions). Unfortunately, the text format of each line returned by the ‘query session’ command can be difficult to parse. As you can see in the next screenshot, the username may be empty and in this example, if you use tokens=3, you will get the username instead of the ID for the user compil.

The problem is that you cant logoff a disconnected user with his username. To circumvent this problem, we use 2 for loops to get the session name and id (depending on the line format), and then we keep only the numeric values to send the logoff command and logoff also the disconnected sessions.

The page you linked has the correct answer. Except that in Windows 2012 / 10 you should use skip=2 instead of 1. This way you will skip the ‘services’ line.
So your batch file will look like this:

We use this to log off all rdp sessions with the exception of the administrator. Could be tweaked as needed.

Log Off Another User in Windows 10

How to Log Off Another User in Windows 10

Although the concept of multiple users sharing one device or one PC is getting rarer by the day, there are still cases when you have to share PCs and switch users fast. Sometimes you need to end a session for another user signed in to your computer. Here are a number of methods you can use.

The situation can be different when you need to end a user session. For example, someone just forgot to sign out from his or her user account, and left running apps and opened docs, so the remain in your computer’s memory and consume its system resources. In this case, it could be useful to kick out the inactive session for the other user.

There are no third party tools required. This can be done using either Task Manager, Command Prompt or PowerShell.

To Log Off Another User in Windows 10,

1. Open the Task Manager app.
2. If it looks as follows, switch it to the full view using the «More details» link in the bottom right corner.
3. Click on the Users tab.
4. Right-click on a user account you want to log off.
5. Select Sign off from the context menu.

Alternatively, there are a couple of console tools we can use for the same purpose. Let’s review them.

Log Off Another User from the Command Prompt

1. Open an elevated command prompt.
2. Type or copy-paste the following command: query session . This will list available user sessions.
3. Note the ID column value for the user you want to sign off.
4. Now, execute the command logoff . For example, logoff 1 .

Finally, you can use PowerShell, as follows.

Log Off Another User from with PowerShell

1. Open PowerShell as Administrator.Tip: You can add «Open PowerShell As Administrator» context menu.
2. Type or copy-paste the following command: $sessionID = ((quser /server:’you computer name’ | Where-Object < $_ -match 'user name to sign off' >) -split ‘ +’)[2]
3. Now, execute the command logoff $sessionID .

The PowerShell method is great when you know the exact user name. You can save it as a script and sign out other users with one click when needed.

Related blog posts:

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

Share this post

About Sergey Tkachenko

Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

1 thought on “ Log Off Another User in Windows 10 ”

To note, the logoff command is not available on Windows 10 Home editions.

How To Log Off Windows Users Remotely With PowerShell

Here is a quick and easy way to remotely log off end users who are still logged into their computers. This is especially useful when you are trying to do maintenance.

End users are sometimes logged into their computers for far too long. It seems like every time you’d like to do some maintenance on the computer that requires a user logging out, they don’t seem to do it or the computer is idling with them logged in! Luckily, we can take this into our own hands by forcing a logoff remote from another computer.

Using PowerShell, we can create a script that reaches out to one or more remote Windows computers, checks to see if anyone is logged in and, if so, logs them out. We can even log off all users if we so desire.

Before we get too crazy though, we first need to figure out how to find which users are logged into a remote computer.

Checking Who Is Logged-in

There are a few ways to do that but I’ve chosen to use the quser command. This is a non-PowerShell command but we can still just as easily use it from within PowerShell.

You can play around with this command by running it locally on your Windows computer to get an idea of the output.

However, we’ll be using PowerShell to parse this string output so you don’t have to worry about it in the first place!

The quser command also can query remote computers using the /server switch, however, I have chosen not to use this method because we now have the advantage of using PowerShell Remoting. Instead, we can run quser by itself on the remote computer.

Remote Logoff in PowerShell

Now that you know of how to find the logged in users, we now need to figure out how to log off a user. I’ve chosen to use the logoff command. The logoff command is another non-PowerShell command, but is easy enough to call from within a script.

In the example above, ‘abertram’ is logged into the remote computer in session 2. Using the logoff command, we simply need to pass the session ID to the command as an argument and it will dutifully log the user off as expected.

I can run quser again on the remote computer and we can now see that it has been logged off.

Remotely Logoff a Specific User

We now need to put these two commands together to allow us to specify a username rather than a session ID to log off a user account. To do that, we need to run quser, filter the output by username and then parse the session ID from that output sending it to the logoff command.

You can see above when Invoke-Command is running with the scriptblock created, it will detect the user logged in and immediately log them off. Pretty cool!

Automatically log off idle users in Windows

• Managing shared mailboxes in Office 365 with PowerShell — Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI — Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) — Wed, Mar 16 2016

Shared computer systems in areas such as reception desks, computer labs, and call centers can be brought to their knees very quickly if users lock the workstation and walk away when their shift ends. The next person sits down, clicks Switch User, logs in, and repeats the process all over. After enough users, there are enough random applications running in the background to slow the system to a crawl. So, how do you log off the idle sessions? Actually, it’s pretty easy with a free utility and a little Group Policy!

Non-recommended solutions ^

Before we get started, I’d like to address two of the ways I’ve seen suggested as a way to handle logging off idle user sessions. One solution that used to be popular is the winexit.scr screensaver included in the Windows NT Server 4.0 Resource Kit. A systems administrator can set the workstation’s screensaver to winexit.scr, and the user would be logged off when the screensaver activated.

This solution doesn’t take into account newer operating systems that include Fast User Switching. It also requires you to lengthen your screensaver activation time so you don’t accidentally log off a user who has gone on a break or lunch period. And, last but not least, getting this old utility to work correctly on newer OSs is just a pain. Do you really want to run something this old on your network if you don’t have to? Another is a Group Policy setting that a lot of people point to as a solution to this problem. The setting is located in Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits > Set time limit for disconnected sessions.

“Set time limit for disconnected sessions” policy (for RDS sessions only)

I’ve seen this setting recommended—a LOT—as a solution for logging off idle users. You can use it for logging off idle users on Remote Desktop Services (RDS, formerly Terminal Services). This session doesn’t work for physical computers that people are using at the console.

Computer-side Group Policy settings ^

To set up our solution, we’ll need to create a new Group Policy Object (GPO) in the Group Policy Management Console (GPMC). For multiuser computers, I usually like to create a new sub-Organizational Unit (OU) inside the original OU that contains all the other non-multiuser computers. This lets the multiuser computers get the same Group Policy as all of the other computers without forcing the “idle logoff” on every single computer.

Create new GPO in the Group Policy Management Console

Next, we’ll need to right-click the new GPO and choose Edit. Once you’re in the Group Policy Management Editor, you’ll need to go to Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode. Enable the policy and set it to Merge. This will let us apply a user-side policy to computer objects in Active Directory. (I’ve written articles on loopback processing in Group Policy and common usage scenarios if you’d like more information.)

Configure user Group Policy loopback processing mode to Merge

Next, we’ll need to copy a small utility to the multiuser computers. Go and download idlelogoff.exe.

UPDATE: We removed the link to the website that hosts idlelogoff.exe is because the site is infected with malware. See comments below.

For demo purposes in this article, I’m going to put my copy into Active Directory’s Sysvol folder. For a production environment, you’ll probably want to do this from a file share. Just make sure that domain computers have at least read-only access to both the share and the file system.

IdleLogoff executable in the Sysvol folder

Go back to your GPO and go to Computer Configuration > Preferences > Windows Settings > Files. Right-click Files and choose New > File. In the Source File(s) section, select the IdleLogoff.exe that we put into \\domain.local\sysvol\domain.local\files\IdleLogoff\IdleLogoff.exe. Set the Destination File value to C:\Program Files\IdleLogoff\IdleLogoff.exe.

New File Properties to copy IdleLogoff.exe to computers

User-side Group Policy settings ^

Next, we’ll need to set our user-side Group Policy settings. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff). Double-click Logon on the right side of the window.

Logon/Logoff scripts in the Group Policy Management Editor

Click the Show Files button to open a new window where you can place the Logon script we’ll use.

Create a new batch file for a Logon script