Force authenticated user immediate logoff (emergency case)

security user-management active-directory windows-server-2012-r2

In Active Directory if you want to prevent a user from logging in you can either disable their account or simply reset their password. However, if you have a user who is already logged in to a workstation and you need to prevent them from accessing any resources as quickly as possible - how do you do it? I speak of an emergency situation in which a worker is fired with immediate effect and there is risk of them wreaking havoc if they are not locked out of the network immediately.

A few days ago I've been faced with a similar case. At first I was not sure how to act. Preventing user access to network shares is easy but this is not enough. Eventually, I switched the target computer off with the Stop-Computer -ComputerName <name> -Force PowerShell cmdlet and in my case this solved the issue. However, in some cases this might not be the best choice, say if the user you need to cut off is logged in on several workstations or on a computer which provides an important service and you just cannot switch it off.

What is the best possible solution to remotely force an immediate user logoff from all workstations? Is this even possible in Active Directory?


Best solution: A security guard escort the person out...

Second best solution:

  1. First, check the session number with qwinsta: QWINSTA /server:computername
  2. Write down the session ID.
  3. Then use the logoff command: LOGOFF sessionID /server:computername.
C:\>qwinsta /?
Display information about Remote Desktop Sessions.

QUERY SESSION [sessionname | username | sessionid]
              [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]

  sessionname         Identifies the session named sessionname.
  username            Identifies the session with user username.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).
  /MODE               Display current line settings.
  /FLOW               Display current flow control settings.
  /CONNECT            Display current connect settings.
  /COUNTER            Display current Remote Desktop Services counters information.
  /VM                 Display information about sessions within virtual machines.


C:\>logoff /?
Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V] [/VM]

  sessionname         The name of the session.
  sessionid           The ID of the session.
  /SERVER:servername  Specifies the Remote Desktop server containing the user
                      session to log off (default is current).
  /V                  Displays information about the actions performed.
  /VM                 Logs off a session on server or within virtual machine. The unique ID of the session needs to be specified.

I wrote a rudimentary batch script for that. I requires some unixtools in the path as well as psexec.

@ECHO OFF
:: Script to log a user off a remote machine
::
:: Param 1: The machine
:: Param 2: The username

psexec \\%1 qwinsta | grep %2 | sed 's/console//' | awk '{print $2}' > %tmp%\sessionid.txt
set /p sessionid=< %tmp%\sessionid.txt
del /q %tmp%\sessionid.txt
psexec \\%1 logoff %sessionid% /v

Not entirely AD based, but should do what you want.

Disable or expire account

import-module activedirectory
set-aduser -identity "username" -accountexperationdate "12:09 pm"

or

set-aduser -identity "username" -enabled $false

Then log the user off of their machine

shutdown -m "\\computername" -l

Another way to log off the user is to use a built in windows utility, from an administrative command prompt

logoff 1 /SEVER:computername

This logs off session id 1 from the remote computer. If you don't know the session id (1 is default) then you can use quser against the remote machine to find it.


You can lock the user's session remotely with wmic:

1 - First, change the user password:

C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
  create "net user [user] [NewPassword]"

2 - Then, disable the account:

C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
  create "net user [user] /active:no"

3 - Then, disconnect the user session:

C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
  create "tsdiscon"

This has an added value, since you will not loose the current user session and hence when you unlock the workstations you are going to be able to see if he was trying to do something nasty before being escorted to the door.

All credits to Command Line Kung Fu Blog. There's a bunch of crazy security/forensics related things in there!

UPDATE: The first two steps are intended for local users, in an active directory environment is actually easier, disable the account and change the password in AD, and then run the 3rd command against the malicious user IP address.

Related

Is there a way to clone an existing VM on an ESXi server without having to re-import it?
HAProxy reqrep remove URI on backend request
What are the performance differences between Raid 0,1,5,6,10
Why does the month argument range from 0 to 11 in JavaScript's Date constructor?
React Native - Image Require Module using Dynamic Names
How to get the text node of an element?
mcrypt is deprecated, what is the alternative?
bash regex with quotes?
How to pass data between fragments
Floating point division vs floating point multiplication
How can I get a hex dump of a string in PHP?
Python Pandas : group by in group by and average?