Automatic Sign-out for idle users

This quick guide is to create a script in powershell to sign out inactive users after a set amount of time. This process needs to be done in the Admin’s session and will work for every user in the cloud computer. In this case we will set it to disconnect idle users after 10 minutes (600 seconds). You can change the inactivity limit to another amount of seconds ([int]$TimeLimitSeconds = n).

Step 1: Create the PowerShell Script

1. On the cloud computer (or server), open Notepad.
   
    
2. Paste this script in Notepad:

<#

.SYNOPSIS

Logs off users who have been idle or disconnected longer than a specified threshold.

Supports remote execution and skips protected accounts.

.PARAMETER ComputerName

The target computer/VM where sessions exist. Default is localhost.

.PARAMETER TimeLimitSeconds

Idle/disconnected threshold in seconds. Default is 600 (10 minutes).

.PARAMETER Credential

Optional PSCredential object for remote execution or scheduled task.

#>

param(

    [string]$ComputerName = "localhost",

    [int]$TimeLimitSeconds = 600,

    [PSCredential]$Credential = $null,

    [switch]$EnableDebug = $false

)

# List of users to skip

$skipUsers = @("administrator")

# Get session list from target computer

$query = if ($ComputerName -eq "localhost") {

    quser 2>$null

} else {

    Invoke-Command -ComputerName $ComputerName -Credential $Credential -ScriptBlock { quser } 2>$null

}

if ($query) {

    $query | Select-Object -Skip 1 | ForEach-Object {

        # Parse with regex (works with optional session name)

        if ($_ -match "^\s*(\S+)\s+(\S*)\s+(\d+)\s+(\S+)\s+(.+?)\s+(\d+/\d+/\d+\s+\d+:\d+\s+[AP]M)\s*$") {

            $user        = $matches[1]

            $sessionName = $matches[2]

            $sessionId   = $matches[3]

            $state       = $matches[4]

            $idleRaw     = $matches[5].Trim()

            $logonRaw    = $matches[6]

            # Skip protected users

            if ($skipUsers -contains $user) {

                if ($EnableDebug) { Write-Host "Skipping protected account $user" }

                return

            }

            $idleSeconds = 0

            $discSeconds = 0

            if ($EnableDebug) {

                Write-Host "DEBUG: User='$user' SessionId='$sessionId' State='$state' IdleRaw='$idleRaw' LogonRaw='$logonRaw'"

            }

            # --- Active sessions ---

            if ($state -eq "Active") {

                if ($idleRaw -eq ".") { $idleSeconds = 0 }

                elseif ($idleRaw -match "(\d+)\+(\d+):(\d+)") {

                    $days = [int]$matches[1]; $hours = [int]$matches[2]; $mins = [int]$matches[3]

                    $idleSeconds = ($days*86400)+($hours*3600)+($mins*60)

                }

                elseif ($idleRaw -match "(\d+):(\d+)") {

                    $hours = [int]$matches[1]; $mins = [int]$matches[2]

                    $idleSeconds = ($hours*3600)+($mins*60)

                }

                elseif ($idleRaw -match "^\d+$") { $idleSeconds = [int]$idleRaw*60 }

                if ($EnableDebug) { Write-Host "DEBUG: Active idleSeconds=$idleSeconds" }

            }

            # --- Disconnected sessions ---

            if ($state -eq "Disc") {

                try {

                    $logonTime = [datetime]::Parse($logonRaw)

                    $discSeconds = (New-TimeSpan -Start $logonTime -End (Get-Date)).TotalSeconds

                } catch { $discSeconds = 0 }

                if ($EnableDebug) { Write-Host "DEBUG: Disconnected discSeconds=$discSeconds" }

            }

            # --- Decide to logoff ---

            if ($idleSeconds -ge $TimeLimitSeconds -or $discSeconds -ge $TimeLimitSeconds) {

                Write-Host "ACTION: Logging off $user (Session $sessionId, State=$state)"

                try {

                    if ($ComputerName -eq "localhost") {

                        logoff $sessionId

                    } else {

                        Invoke-Command -ComputerName $ComputerName -Credential $Credential -ScriptBlock { param($s) logoff $s } -ArgumentList $sessionId

                    }

                    Write-Host "SUCCESS: Logged off session $sessionId"

                } catch {

                    Write-Warning "FAILED: Could not log off session $sessionId. Check privileges or connection."

                }

            } elseif ($EnableDebug) {

                Write-Host "DEBUG: Session $sessionId skipped (Idle=$idleSeconds, Disc=$discSeconds)"

            }

        } else {

            if ($EnableDebug) { Write-Host "DEBUG: Could not parse line: $_" }

        }

    }

}

3.   Go to File > Save As:

• File name: LogoffInactiveUsers.ps1
  
   
• Save as type: All Files
  
   
• Location: Save it to C:\Scripts (create the folder if needed)

Step 2: Automate It (Using Task Scheduler)

1. Open Task Scheduler (search it in Start).
   
    
2. Click Create Task on the right.
   
    
3. Under General:
   
    
   • Name: Log off inactive users
     
      
   • Select: Run with highest privileges
     
      
4. Go to Triggers tab → Click New:
   
    
   • Begin the task: On a schedule
     
      
   • Choose Daily.
   • Check Repeat task every: 5 minutes for a duration of: Indefinitely
     
      
5. Go to Actions tab → Click New:
   
    
   • Action: Start a program
     
      
   • Program/script: powershell.exe
     
      
   • Add arguments:

-ExecutionPolicy Bypass -File "C:\Scripts\LogoffInactiveUsers.ps1"

6. Click OK.