Server 2016 and 2012R2 Remotely Logoff A Rogue Domain User For Security Video Tutorial
Sometimes a user in a domain may go rogue and needs to be removed from the domain immediately. This video shows how to find which computer the user is using and then log off the user immediately.
It also shows how to disable that user to prevent the user logging back in. This method is done remotely so one does not have to be next to the user.
To download PSTools: https://technet.microsoft.com/en-us/sysinternals/dd443648.aspx
The commands in Powershell:
LOGOFF IDNUMBER /server:COMPUTERNAME
Please watch the video to see the above (to translate, click the Subtitle box in the YouTube video and then click Settings and language, as in this picture):
Transcript (machine generated so it contains errors)
Hello and welcome to this video, which is for Windows servers. We are using windows server two thousand sixteen, but the video is all about how to log off immediately. A rogue user that is logged onto the domain. Okay, the first thing we need to do is basically go to administrative tools that will open up and once you're here were basically creating an organisational unit and putting our computers within it. The computers that we want to monitor and have the ability to log off O active directory users and computers. We have created a demo organisational unit. Okay, I need to just go there are given name. We have called it demo in that will put in our computer.
Okay, and we've also got her user in there, but the computer is the most important I guess or phrase, and we got fifty computers that you want to monitor and be able to knock the user off on but all those fifty computers in here okay now. Once we've done that. We then need to go to group policy management, click on that we will find ad OU that recreated it. We need to basically credit GPO in this domain and link it here, so click on that and then do that and basically give it a name we gave the name remote registry the first thing you need to turn on remote registry on these computers, so once that's done, we then edit that policy.
We need to go to computer configuration policies windows settings security settings and their system services find remote registry, click on that define the policy setting, tick the box click automatic. You can the security which users except riots very important as the remote think that this is actually tightly controlled. Okay, so that's fine, and then okay. We shut that down and this is going to enable us to actually find the computers that have the user logon then closes down the very next thing we need to do is download a very, very famous tool from Microsoft again hates windows, system tunnels and PS tools so you can find it via Google or will we should post this URL in the discussion downloaded date so that we saved it and then comes zip file, you need to extract all we expect the desktop, that's fine. The next thing we need to do is open PowerShell as administrator. Here we go with us…
A little bit and go to the directory where we have it we had on our desktop so see the deaths for this change that directory and NCD the name of the folder PS tools. Yes tools and in here you will find PS logged on PS logon sixty-four, we're gonna quickly show you a windows ten domain joined computer and log onto that. Okay, here we are are user that was there. Okay, that user has now logged on could be doing anything could be impartial to do something malicious, et cetera copy files. All that we found out that this user is actually behaving irregular so let's run today as we now that is the user, and it'll tell me straight away and Nimda is logged on to win ten computer when you probably want to do at this point is very, very quickly going to administrative tools, users and computers find ad road user, go to the account and then disable it.
Okay, so that's disabled, but that computer is fully still running, so we now want to log that user off very simple command to use. We need to type a QW INS T a space/server and that computer where the user is logged on. That'll give us the session ID off that user. This type log of the user session ID is to click enter. And now, if we go over to our windows ten computer can see the computer has been logged off will try logging back in as you can see the account has been disabled, so this is a very very useful security tool methods actually to ensure that you can log off a computer user and block him or her. Okay, hopefully this is helped. Thank you for watching it as it was alike
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.