Session Arbiter

Surprisingly, Windows has no built-in mechanism for setting time limits on local logon sessions. It also can’t be configured to log off a user when a laptop lid is closed, unless you want to shut down completely. Session Arbiter fixes these problems.

While Windows Server is able to impose time limits on logons that use Remote Desktop Services, the same doesn’t apply to local console logons on workstations. Session Arbiter aims to reproduce that functionality for use on Windows Vista and Windows 7, allowing for more controlled management of workstation logons in multiple-user environments.

Session Arbiter also provides another missing behaviour: logging off the user when the lid is closed on a laptop. Windows allows for one of several actions to be taken when the lid is closed on a laptop: Sleep, Hibernate, or Shut Down. While shutting down will cause the user to be logged off, there is no built-in option to log off and then sleep or hibernate (or to just log off with no following change to the power state).

Free download from GitHub

Session Arbiter is an open-source project hosted on GitHub.

You can see full details and download the software at github.com/jschlackman/SessionArbiter

Key Features

  • Allows administrators to configure automatic logoff of local user sessions, depending on their state.
  • Allows administrators to configure a laptop to logoff the local user when the lid is closed on a laptop.
  • Windows Installer provided, compatible with Group Policy Software Deployment which allows administrators to automatically install software on workstations.

About

One of the key features of Windows Vista and Windows 7 when joined to a domain is that they allow the use of Fast User Switching, which with Windows XP was only available for non-domain workstations.

The ability for multiple domain users to share a workstation without having to log each other off was a key consideration of moving to a Windows 7 network when I performed a site migration away from Windows XP in 2010. Most schools have a requirement that staff computer accounts are never left unattended due to the risk of misuse. Previously, users would either have to log off before they stepped away from a workstation, or lock the computer, rendering it unavailable to other users. With Windows 7, users encountering a locked workstation can simple click the Switch User button and log on with their own account, while the original account stays logged on in the background.

The problem that arises from the ability to have multiple accounts logged on is that users frequently forget that they are logged on once a second user begins using the workstation. When the most recent user logs off, the Windows login screen does not show any indication that other users are still logged in. This created a situation where many shared workstations would be left with disconnected user sessions consuming memory and CPU resources.

In cases where someone used a particular workstation infrequently, these stale login sessions could persist for weeks, only being cleared when another user manually shut down or restarted the workstation. They would also block required restarts for Windows Automatic Updates, since workstations were configured not to reboot while a user was logged on (in order to prevent work being interrupted).

The ability to impose time limits on user sessions, in particular those sessions treated as ‘disconnected’ (logged on but not in use) is built in to Windows Server in order to manage RDSlogon sessions. However, despite Fast User Switching in Windows Vista and Windows 7 being built on the same foundation as RDS, configuring these settings has no effect on local console sessions.

Session Arbiter reproduces these same administrator controlled limits and allows them to be applied to local user sessions, so that forgotten logins can be automatically cleared, leading to better workstation performance and more timely installation of updates.

Another problem that frequently occurs in shared workstation environments is the issue of users not fully logging off from loan pool laptops, such as those used in school and university libraries and resource centres. In these scenarios, users may forget to log off when returning a laptop to storage, or will begin logging off but then close the lid before it completes. This can cause the user’s roaming profile to not be saved, and on Windows 7, can cause an issue where subsequent users may encounter an error message and be unable to log on.

Session Arbiter can be configured to monitor for a lid closure event, and then log off the user before putting the laptop into Sleep or Hibernate. This ensures that users are always logged off when they return a loan laptop to storage (preventing account misuse by the next borrower), and helps ensure that roaming profiles are synchronised correctly, as the laptop will not turn off and disconnect from the network part-way through the logoff.