Darren Lloyd was kind enough to provide his solution for a ConfigMgr 2007 reboot script. This script reboots the computer if no user is logged in, and prevents new applications from launching, then removes the "log off" button if a user is logged in. These restrictions are removed after a reboot."
In his own words:
Here's the reboot script for you. What I did was create a ConfigMgr package that ran on all Desktops that ran a script to create the scheduled task and copied the required files to C:\Temp\ISReboot and hid the folder.
There are some reg files and subinacl required to get the permissions sorted out. But since the scheduled task runs as the System account it has permissions to modify the user policies key in the registry, which is discovers by getting the owner of the explorer.exe process and then using the SID of that user account. Then it puts a run once key in the registry to remove the software restriction policy and put back the log off button. I wrote this a long time ago – I could probably do it better now, but it works 🙂
Basically, what is required is this:
1. Copy all the files to C:\Temp\ISReboot
2. Run the createtask.cmd to create the scheduled task. This will run reboot.vbs at 01:00 every Thursday, which will do the following:
- Check the owner of the Explorer.exe process
- If no user account owns the process, the script reboots the box and exits
- If a user account owns the process, the script logs the user name to a text file, then adds software restriction policies to the registry that will prevent the logged-on user from launching any new applications, adds some runonce keys to the registry to remove these restrictions after a reboot, and displays a message telling the user what is going on.
- This task has been running in production at one of my clients for years now with no issues. If users cannot reboot to remove the software restrictions we just had them go to a script on the network that would remove those reg keys and unlock their system.