/build/static/layout/Breadcrumb_cap_w.png

Scripting Question


Lockout and force a user off machine (termination)

03/28/2017 1067 views
I am looking for a way to lockout a remote user and prevent them from logging in they take the machine offline. One way I have done this in the past is to request a remote screen share and I issue:

manage-bde –forcerecovery C:

I would issue this command via a remote command, but the firewall is on and I am unable to reach the machines. Which is why I was looking at using Kace.

Since the users don't know the bitlocker key, they are essentially locked off the machine. I am looking for a more stealthy way to handle this. It would be nice to have Kace take the user out of the admin group (if applicable), force a bitlocker recovery, log the user off quickly (so they can't cancel it), and shut down.

If this is not the best way to go about it, I am open to ideas. 

Thanks
3 Comments   [ + ] Show comments

Comments

  • If you are trying to prevent a specific user name from an individual system there is the GPO setting you can do locally with gpedit.msc as a local admin

    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Deny log on ___ and add the user name in there.

    I know that is scriptable but I can't think of the command at the top of my head. This will make it regardless of being an admin user or regular user from having access since local deny permissions take highest level over all other permissions.
  • That would work, but I would need to force them to log off as well.
  • There are VB scripts all over to help you tackle getting the users out of the admin group. Ex:
    http://stackoverflow.com/questions/31589221/vbs-script-to-remove-accounts-from-administrators-group

    You should be able to run the above with your:
    manage-bde –forcerecovery C:
    and
    Cmd.exe /c Shutdown /l /f (For Log Off)
    Or
    Cmd.exe /c Shutdown /s /f (For Shutdown)

    I would put all the steps into a Kace Script and push it out that way

Be the first to answer this question

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ