Force authenticated user immediate logoff (emergency case)
In Active Directory if you want to prevent a user from logging in you can either disable their account or simply reset their password. However, if you have a user who is already logged in to a workstation and you need to prevent them from accessing any resources as quickly as possible - how do you do it? I speak of an emergency situation in which a worker is fired with immediate effect and there is risk of them wreaking havoc if they are not locked out of the network immediately.
A few days ago I've been faced with a similar case. At first I was not sure how to act. Preventing user access to network shares is easy but this is not enough. Eventually, I switched the target computer off with the Stop-Computer -ComputerName <name> -Force
PowerShell cmdlet and in my case this solved the issue. However, in some cases this might not be the best choice, say if the user you need to cut off is logged in on several workstations or on a computer which provides an important service and you just cannot switch it off.
What is the best possible solution to remotely force an immediate user logoff from all workstations? Is this even possible in Active Directory?
Best solution: A security guard escort the person out...
Second best solution:
- First, check the session number with qwinsta: QWINSTA /server:computername
- Write down the session ID.
- Then use the logoff command: LOGOFF sessionID /server:computername.
C:\>qwinsta /? Display information about Remote Desktop Sessions. QUERY SESSION [sessionname | username | sessionid] [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM] sessionname Identifies the session named sessionname. username Identifies the session with user username. sessionid Identifies the session with ID sessionid. /SERVER:servername The server to be queried (default is current). /MODE Display current line settings. /FLOW Display current flow control settings. /CONNECT Display current connect settings. /COUNTER Display current Remote Desktop Services counters information. /VM Display information about sessions within virtual machines. C:\>logoff /? Terminates a session. LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V] [/VM] sessionname The name of the session. sessionid The ID of the session. /SERVER:servername Specifies the Remote Desktop server containing the user session to log off (default is current). /V Displays information about the actions performed. /VM Logs off a session on server or within virtual machine. The unique ID of the session needs to be specified.
I wrote a rudimentary batch script for that. I requires some unixtools
in the path as well as psexec
.
@ECHO OFF
:: Script to log a user off a remote machine
::
:: Param 1: The machine
:: Param 2: The username
psexec \\%1 qwinsta | grep %2 | sed 's/console//' | awk '{print $2}' > %tmp%\sessionid.txt
set /p sessionid=< %tmp%\sessionid.txt
del /q %tmp%\sessionid.txt
psexec \\%1 logoff %sessionid% /v
Not entirely AD based, but should do what you want.
Disable or expire account
import-module activedirectory
set-aduser -identity "username" -accountexperationdate "12:09 pm"
or
set-aduser -identity "username" -enabled $false
Then log the user off of their machine
shutdown -m "\\computername" -l
Another way to log off the user is to use a built in windows utility, from an administrative command prompt
logoff 1 /SEVER:computername
This logs off session id 1 from the remote computer. If you don't know the session id (1 is default) then you can use quser against the remote machine to find it.
You can lock the user's session remotely with wmic:
1 - First, change the user password:
C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
create "net user [user] [NewPassword]"
2 - Then, disable the account:
C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
create "net user [user] /active:no"
3 - Then, disconnect the user session:
C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
create "tsdiscon"
This has an added value, since you will not loose the current user session and hence when you unlock the workstations you are going to be able to see if he was trying to do something nasty before being escorted to the door.
All credits to Command Line Kung Fu Blog. There's a bunch of crazy security/forensics related things in there!
UPDATE: The first two steps are intended for local users, in an active directory environment is actually easier, disable the account and change the password in AD, and then run the 3rd command against the malicious user IP address.