29

In Active Directory if you want to prevent a user from logging in you can either disable their account or simply reset their password. However, if you have a user who is already logged in to a workstation and you need to prevent them from accessing any resources as quickly as possible - how do you do it? I speak of an emergency situation in which a worker is fired with immediate effect and there is risk of them wreaking havoc if they are not locked out of the network immediately.

A few days ago I've been faced with a similar case. At first I was not sure how to act. Preventing user access to network shares is easy but this is not enough. Eventually, I switched the target computer off with the Stop-Computer -ComputerName <name> -Force PowerShell cmdlet and in my case this solved the issue. However, in some cases this might not be the best choice, say if the user you need to cut off is logged in on several workstations or on a computer which provides an important service and you just cannot switch it off.

What is the best possible solution to remotely force an immediate user logoff from all workstations? Is this even possible in Active Directory?

Erathiel
  • 711
  • 3
  • 10
  • 21
  • 6
    Good question, and I'm interested in seeing the answers. However, in a situation like this, wouldn't the terminated employee be with an HR escort 100% of the time from when they receive the news of their termination until they're escorted from the building? – EEAA Feb 14 '14 at 16:42
  • Yeah, sure they should be. I am, however, interested in solving this issue Active Directory-wise :) – Erathiel Feb 14 '14 at 16:48
  • Call security and have them physically go to the location of the person and remove them? If they are outside of your network, block them on your firewall? Use your powershell script to kill any processes on all your computers that is running with that users account. – Zoredache Feb 14 '14 at 17:32

4 Answers4

22

Best solution: A security guard escort the person out...

Second best solution:

  1. First, check the session number with qwinsta: QWINSTA /server:computername
  2. Write down the session ID.
  3. Then use the logoff command: LOGOFF sessionID /server:computername.
C:\>qwinsta /?
Display information about Remote Desktop Sessions.

QUERY SESSION [sessionname | username | sessionid]
              [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]

  sessionname         Identifies the session named sessionname.
  username            Identifies the session with user username.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).
  /MODE               Display current line settings.
  /FLOW               Display current flow control settings.
  /CONNECT            Display current connect settings.
  /COUNTER            Display current Remote Desktop Services counters information.
  /VM                 Display information about sessions within virtual machines.


C:\>logoff /?
Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V] [/VM]

  sessionname         The name of the session.
  sessionid           The ID of the session.
  /SERVER:servername  Specifies the Remote Desktop server containing the user
                      session to log off (default is current).
  /V                  Displays information about the actions performed.
  /VM                 Logs off a session on server or within virtual machine. The unique ID of the session needs to be specified.

I wrote a rudimentary batch script for that. I requires some unixtools in the path as well as psexec.

@ECHO OFF
:: Script to log a user off a remote machine
::
:: Param 1: The machine
:: Param 2: The username

psexec \\%1 qwinsta | grep %2 | sed 's/console//' | awk '{print $2}' > %tmp%\sessionid.txt
set /p sessionid=< %tmp%\sessionid.txt
del /q %tmp%\sessionid.txt
psexec \\%1 logoff %sessionid% /v
ETL
  • 6,443
  • 1
  • 26
  • 47
  • 2
    Is it possible to combine these two commands into an automated batch / powershell file? It could be very useful to just run a quick script to logout all sessions. – EtherDragon Feb 14 '14 at 19:29
  • 1
    Is it possible to obtain a list of all the computers a user is connected to? – NothingsImpossible Feb 15 '14 at 00:29
  • @NothingsImpossible - the way I find this out is by looking at my file server, as users have profile redirected to a server, i look there for open file share sessions. – ETL Feb 19 '14 at 18:25
  • @NothingsImpossible I tend to achieve that using [psloggedon](https://technet.microsoft.com/en-us/sysinternals/bb897545.aspx) – BE77Y Mar 16 '15 at 17:38
5

Not entirely AD based, but should do what you want.

Disable or expire account

import-module activedirectory
set-aduser -identity "username" -accountexperationdate "12:09 pm"

or

set-aduser -identity "username" -enabled $false

Then log the user off of their machine

shutdown -m "\\computername" -l

Another way to log off the user is to use a built in windows utility, from an administrative command prompt

logoff 1 /SEVER:computername

This logs off session id 1 from the remote computer. If you don't know the session id (1 is default) then you can use quser against the remote machine to find it.

David V
  • 840
  • 1
  • 8
  • 15
  • 1
    That will shutdown the machine, not log the user out, thought, which is what the question was. – slybloty Feb 14 '14 at 17:48
  • 3
    Please don't get me wrong but your answer is precisely what I did not want and I have included all that in my question: disabling/expiring the account or changing password does not force the user logoff, it merely prevents them from logging in which is of no use in the case described in the OP. – Erathiel Feb 14 '14 at 18:00
  • 4
    The `shutdown` command by default does not actually shut down, but [_logs off the user_](http://technet.microsoft.com/en-us/library/bb491003.aspx). – Michael Hampton Feb 14 '14 at 18:18
  • Added an alternative method to log the user off, let me know if this is more akin to what you're looking for. Edit: Didn't see ETL's answer, so gave him +1 for beating me to the punch. – David V Feb 14 '14 at 18:33
  • 4
    Policy at my work typically goes like this: person is called to a "meeting" (termination), while at the meeting, the account is disabled and the session logged out remotely (desktops all have secured VNC servers installed). – Avery Payne Feb 14 '14 at 22:05
  • This is all very reasonable, especially the thing about a termination meeting (which gives the admin some time to take action) but the thing I was most interested in was if it is possible to solve the issue using AD tools. I'll test the answers soon to see if they really work :) – Erathiel Feb 18 '14 at 11:37
4

You can lock the user's session remotely with wmic:

1 - First, change the user password:

C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
  create "net user [user] [NewPassword]"

2 - Then, disable the account:

C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
  create "net user [user] /active:no"

3 - Then, disconnect the user session:

C:\> wmic /node:[IPaddr] /user:[Admin] /password:[password] process call
  create "tsdiscon"

This has an added value, since you will not loose the current user session and hence when you unlock the workstations you are going to be able to see if he was trying to do something nasty before being escorted to the door.

All credits to Command Line Kung Fu Blog. There's a bunch of crazy security/forensics related things in there!

UPDATE: The first two steps are intended for local users, in an active directory environment is actually easier, disable the account and change the password in AD, and then run the 3rd command against the malicious user IP address.

Gabriel Talavera
  • 1,367
  • 1
  • 11
  • 18
  • 1
    Unfortunately the command `wmic..."tsdiscon"` [only works on XP](http://blog.commandlinekungfu.com/2009/05/episode-35-remotely-locking-out-user.html). In Vista+ this command cannot disconnect the Console session. – I say Reinstate Monica Mar 09 '17 at 22:12
0

Just change the logon hours to logon denied for all hours in the user properties. That will immediately log them out of where ever they are logged in.

Guestposter
  • 1