Active Directory Security – Force Immediate Logoff for Authenticated Users

active-directorySecurityuser-managementwindows-server-2012-r2

In Active Directory if you want to prevent a user from logging in you can either disable their account or simply reset their password. However, if you have a user who is already logged in to a workstation and you need to prevent them from accessing any resources as quickly as possible – how do you do it? I speak of an emergency situation in which a worker is fired with immediate effect and there is risk of them wreaking havoc if they are not locked out of the network immediately.

A few days ago I've been faced with a similar case. At first I was not sure how to act. Preventing user access to network shares is easy but this is not enough. Eventually, I switched the target computer off with the Stop-Computer -ComputerName <name> -Force PowerShell cmdlet and in my case this solved the issue. However, in some cases this might not be the best choice, say if the user you need to cut off is logged in on several workstations or on a computer which provides an important service and you just cannot switch it off.

What is the best possible solution to remotely force an immediate user logoff from all workstations? Is this even possible in Active Directory?

Best Answer

Best solution: A security guard escort the person out...

Second best solution:

  1. First, check the session number with qwinsta: QWINSTA /server:computername
  2. Write down the session ID.
  3. Then use the logoff command: LOGOFF sessionID /server:computername.
C:\>qwinsta /?
Display information about Remote Desktop Sessions.

QUERY SESSION [sessionname | username | sessionid]
              [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]

  sessionname         Identifies the session named sessionname.
  username            Identifies the session with user username.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).
  /MODE               Display current line settings.
  /FLOW               Display current flow control settings.
  /CONNECT            Display current connect settings.
  /COUNTER            Display current Remote Desktop Services counters information.
  /VM                 Display information about sessions within virtual machines.


C:\>logoff /?
Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V] [/VM]

  sessionname         The name of the session.
  sessionid           The ID of the session.
  /SERVER:servername  Specifies the Remote Desktop server containing the user
                      session to log off (default is current).
  /V                  Displays information about the actions performed.
  /VM                 Logs off a session on server or within virtual machine. The unique ID of the session needs to be specified.

I wrote a rudimentary batch script for that. I requires some unixtools in the path as well as psexec.

@ECHO OFF
:: Script to log a user off a remote machine
::
:: Param 1: The machine
:: Param 2: The username

psexec \\%1 qwinsta | grep %2 | sed 's/console//' | awk '{print $2}' > %tmp%\sessionid.txt
set /p sessionid=< %tmp%\sessionid.txt
del /q %tmp%\sessionid.txt
psexec \\%1 logoff %sessionid% /v
Related Topic