Server 2016 and 2012R2 Remotely Logoff A Rogue Domain User For Security Video Tutorial

Server 2016 and 2012R2 Remotely Logoff A Rogue Domain User For Security Video Tutorial

  Sometimes a user in a domain may go rogue and needs to be removed from the domain immediately. This video shows how to find which computer the user is using and then log off the user immediately. It also shows how to disable that user to prevent the user logging back in. This method is done remotely so one does not have to be next to the user. To download PSTools: https://technet.microsoft.com/en-us/sysinternals/dd443648.aspx The commands in Powershell: .\psloggedon64 USERNAME QWINSTA /server:COMPUTERNAME LOGOFF IDNUMBER /server:COMPUTERNAME  

Please watch the video to see the above (to translate, click the Subtitle box in the YouTube video and then click Settings and language, as in this picture):

subtitles

 
Transcript (machine generated so it contains errors)
1. 00:00:00:00 / 00:00:05:87 - hello and welcome to this video which is
2. 00:00:03:02 / 00:00:09:29 - for Windows servers we are using Windows
3. 00:00:05:87 / 00:00:15:02 - Server 2016 but the video is all about
4. 00:00:09:30 / 00:00:17:83 - how to log off immediately a rogue
5. 00:00:15:02 / 00:00:20:96 - user that is logged on to the domain
6. 00:00:17:83 / 00:00:26:14 - okay the first thing we need to do is
7. 00:00:20:96 / 00:00:30:35 - basically go to Administrative Tools
8. 00:00:26:14 / 00:00:32:96 - that'll open up and once you're here
9. 00:00:30:35 / 00:00:35:42 - we're basically creating an
10. 00:00:32:96 / 00:00:39:03 - organizational unit and putting our
11. 00:00:35:42 / 00:00:42:53 - computers within it the computers that
12. 00:00:39:03 / 00:00:47:30 - we want to monitor and have the ability
13. 00:00:42:53 / 00:00:51:97 - to log off on okay so Active Directory
14. 00:00:47:30 / 00:00:56:51 - users and computers we have created a
15. 00:00:51:97 / 00:00:58:61 - demo organizational unit okay all you
16. 00:00:56:52 / 00:01:03:03 - need to do is just go there give it a
17. 00:00:58:61 / 00:01:06:84 - name we have called it demo in that
18. 00:01:03:03 / 00:01:09:47 - we've put in our computer ok and we've
19. 00:01:06:84 / 00:01:11:40 - also got our user in there but the
20. 00:01:09:47 / 00:01:13:10 - computer is the most important thing
21. 00:01:11:40 / 00:01:16:17 - okay so for example if you've got 50
22. 00:01:13:10 / 00:01:18:75 - computers that you want to monitor and
23. 00:01:16:17 / 00:01:25:01 - be able to knock a user off on put all
24. 00:01:18:75 / 00:01:27:35 - those 50 computers in here okay now once
25. 00:01:25:01 / 00:01:32:25 - we've done that we then need to go to
26. 00:01:27:35 / 00:01:36:20 - group policy management click on that we
27. 00:01:32:25 / 00:01:39:45 - will find that oh you that we created in
28. 00:01:36:20 / 00:01:41:54 - it we need to basically create a GPO in
29. 00:01:39:45 / 00:01:47:18 - this domain and link it here so click on
30. 00:01:41:54 / 00:01:50:00 - that and then well I'll do that and
31. 00:01:47:18 / 00:01:51:92 - basically give it a name we gave the
32. 00:01:50:00 / 00:01:53:18 - name remote registry because that's the
33. 00:01:51:93 / 00:01:57:78 - first thing you need to do turn on
34. 00:01:53:18 / 00:02:05:63 - remote registry on these computers so
35. 00:01:57:78 / 00:02:08:87 - once that's done we then edit that
36. 00:02:05:64 / 00:02:12:56 - policy we need to go to computer
37. 00:02:08:87 / 00:02:14:48 - configuration policies windows settings
38. 00:02:12:56 / 00:02:20:84 - security settings
39. 00:02:14:49 / 00:02:24:48 - and system services find remote registry
40. 00:02:20:84 / 00:02:26:78 - double-click on that define the policy
41. 00:02:24:47 / 00:02:30:26 - setting take that box click automatic
42. 00:02:26:78 / 00:02:32:45 - you can add the security which users etc
43. 00:02:30:27 / 00:02:34:26 - it's very important because this is a
44. 00:02:32:46 / 00:02:38:76 - remote kind of thing that this is
45. 00:02:34:25 / 00:02:45:67 - actually tightly controlled ok so that's
46. 00:02:38:75 / 00:02:50:68 - fine and then ok we shut that down and
47. 00:02:45:68 / 00:02:55:43 - this is going to enable us to actually
48. 00:02:50:68 / 00:03:01:31 - find the computers that have the user
49. 00:02:55:43 / 00:03:03:00 - logged on ok looking close he's done the
50. 00:03:01:31 / 00:03:07:18 - very next thing we need to do is
51. 00:03:03:00 / 00:03:12:53 - download a very very famous - from
52. 00:03:07:18 / 00:03:18:44 - Microsoft ok it's Windows sysinternals
53. 00:03:12:53 / 00:03:22:73 - and PS tools so you can find it via
54. 00:03:18:44 / 00:03:29:93 - Google or will we should post this URL
55. 00:03:22:74 / 00:03:34:23 - in the description download it ok save
56. 00:03:29:93 / 00:03:37:94 - it we saved it and then it comes as a
57. 00:03:34:22 / 00:03:41:28 - zip file you need to extract all we
58. 00:03:37:94 / 00:03:43:67 - extract the desktop that's fine the next
59. 00:03:41:28 / 00:03:47:87 - thing we need to do is open PowerShell
60. 00:03:43:68 / 00:03:53:01 - as administrator here we go we'll just
61. 00:03:47:87 / 00:03:56:25 - reduce the size a little bit and go to
62. 00:03:53:00 / 00:04:02:57 - the directory where we have it we had on
63. 00:03:56:25 / 00:04:05:49 - our desktops CD desktop let's change
64. 00:04:02:58 / 00:04:11:10 - that directory and then CD the name of
65. 00:04:05:49 / 00:04:16:98 - the folder PS tools yes tools and in
66. 00:04:11:09 / 00:04:21:42 - here you will find PS logged on PS logon
67. 00:04:16:98 / 00:04:24:36 - 64 we are going to quickly show you a
68. 00:04:21:42 / 00:04:27:30 - Windows 10 domain join computer and log
69. 00:04:24:36 / 00:04:37:59 - on to that ok here we are
70. 00:04:27:30 / 00:04:39:50 - our user that was there okay that user
71. 00:04:37:58 / 00:04:41:75 - has now logged on could be doing
72. 00:04:39:50 / 00:04:44:90 - anything could be in PowerShell trying
73. 00:04:41:75 / 00:04:49:22 - to do something malicious etc copy files
74. 00:04:44:90 / 00:04:54:62 - all that we found out that this user is
75. 00:04:49:22 / 00:05:02:37 - actually behaving irregular so let's run
76. 00:04:54:62 / 00:05:05:22 - okay as we know that is the user and it
77. 00:05:02:37 / 00:05:08:32 - will tell me straight away in ninja is
78. 00:05:05:22 / 00:05:10:59 - log on to win 10 Pro that's the computer
79. 00:05:08:32 / 00:05:14:33 - what you probably want to do at this
80. 00:05:10:58 / 00:05:21:34 - point is very very quickly go into
81. 00:05:14:33 / 00:05:21:34 - Administrative Tools users and computers
82. 00:05:21:80 / 00:05:34:37 - find that rogue user go to the account
83. 00:05:26:33 / 00:05:38:12 - and then disable it okay so that's
84. 00:05:34:37 / 00:05:41:12 - disabled what that computer is for be
85. 00:05:38:12 / 00:05:45:30 - still running so we now want to log that
86. 00:05:41:12 / 00:05:50:55 - user off very very simple command to use
87. 00:05:45:30 / 00:05:54:34 - we need to type in qw i NS t a space
88. 00:05:50:55 / 00:05:58:86 - four slash server and that computer
89. 00:05:54:34 / 00:06:06:75 - where the users logged on that'll give
90. 00:05:58:86 / 00:06:11:87 - us the session ID of that user just type
91. 00:06:06:75 / 00:06:19:11 - log off the user session ID is to click
92. 00:06:11:87 / 00:06:21:68 - enter and now if we go over to our
93. 00:06:19:11 / 00:06:27:18 - Windows 10 computer you can see the
94. 00:06:21:68 / 00:06:32:37 - computer has been logged off we'll try
95. 00:06:27:18 / 00:06:34:86 - login back in and as you can see
96. 00:06:32:37 / 00:06:39:38 - account has been disabled so this is a
97. 00:06:34:86 / 00:06:43:77 - very very useful security two methods
98. 00:06:39:38 / 00:06:48:71 - actually to ensure that you can log off
99. 00:06:43:76 / 00:06:52:22 - a computer user and block him or her
100. 00:06:48:70 / 00:06:56:35 - okay hopefully this has helped thank you
101. 00:06:52:22 / 00:06:56:36 - for watching if it does give us a like
Visit our YouTube channel: https://www.youtube.com/channel/UCFj1BHYIUYfPWPb1Xn5qFIg