July 4, 2008 07:14pm pdt

1. KCTS 201,513
2. tigermatt 107,527
3. leew 54,987
4. oBdA 52,885
5. MrHusy 48,000
6. RobWill 46,638
7. martin_b... 41,358
8. ryansoto 32,990
9. toniur 31,850
10. merowinger 31,500
11. Mikey_TT 31,200
12. mboppe 30,992
13. TechSoEasy 30,100
14. lnkevin 29,980
15. LauraEHu... 28,759

1. KCTS 941,835
2. farhankazi 463,550
3. MrHusy 416,551
4. Sembee 328,464
5. TechSoEasy 289,434
6. oBdA 223,431
7. leew 209,218
8. tigermatt 195,890
9. LauraEHu... 187,651
10. sirbounty 152,540
11. Jay_Jay70 148,096
12. toniur 137,191
13. mboppe 135,740
14. RobWill 122,527
15. Chris-Dent 111,710

03.05.2008 at 06:02AM PST, ID: 23215917

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.0

How to forcily disconnect user from Active Directory?

Zones: Microsoft Server, Active Directory, MS Forefront

Tags: Microsoft, Windows, 2003

Hi,
I was wondering if someone knows how to forcily disconnect / logoff some user from Active Directory while he is logged on.
I experimented a lot with log on hours, forced logoff when logon hours expire, shooting down client services, but nothing works the way I need. Once the user is logged on, even if I delete his account, he is still able to access the domain, domain shares, modify files here, anything. I guess it's because of Kerberos ticket lifetime.
So the question is: how to make some unwanted user logoff from domain - I'd preffer some official way.
Thank you very much in advance
Martin

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: martin_babarik

Solution Provided By: nsx106052

Participating Experts: 3

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.05.2008 at 06:50AM PST, ID: 21050717

Rank: Master

ormerodrutter:

Are you using DHCP? Any chance you can remove the allocated IP address?

03.05.2008 at 06:55AM PST, ID: 21050780

myin68:

You could enable RDP and that user's PC, then when you want to log them off you connect to the PC and manually log them off. If it's past the login time, they won't be able to log back in until the next day.

03.05.2008 at 08:50AM PST, ID: 21051951

nsx106052:

I would try issuing the commands to force the user to log off or shut down remotely.
http://www.computerhope.com/shutdown.htm

After that i would disable the account. If you don't want them to log back on. When you set the schedule for log on times that should be enforced by group policy. I would check to make sure that policy is being applied.

Also do you have more than one DC? If so you might want to force group policy to replicate the changes.

03.05.2008 at 09:05AM PST, ID: 21052098

martin_babarik:

Thank you for all replies.
This problem is rather theoreticall as I'm just teaching one Windows 2003 server and we felt into deep and thorough discussion what would be the best way to achieve this goal. The desired action we'd like to do is that user who is currently logged on on his desktop will probably see some warning message and then he will be logged off from the computer without a possibility to affect it or resist somehow.
As I'm thinking about it I don't see even theoretical solution of this problem as I can't imagine any way how to force some client service to perform logoff.
So far the best solution in case of quick, dirty and forced remote logoff seems to be remotelly kill the lsass.exe process on client, but this can be blocked by firewall settings.
I was just assumning there is some "official" possibility in Active Directory - for example when you will find out that one of your 10 000 AD active users is a hacker - how to shoot him off? I can disable his account, delete the account, but the user is still considered to be active, until his kerberos ticket expires (which can be too long and give him enough time to cause a damage or steal data).

03.06.2008 at 12:34PM PST, ID: 21064437

martin_babarik:

nsx106052: thank you for your idea, it sounds promisy, but unfortunatelly it's not possible to combine the "logoff" switch with the "remote machine name", so it can be used only locally - that' pity, otherwise it would be the best solution.
Let's say that I have only 1 DC. Whatever account restricitions i set, as I said before even delete the user account, then I even use gpupdate /force on the client I want to disconnect - but the client easily updates the GPO, can continue to work and although he's deleted, he can happily create files in shared folders on the server, access everythin his account has been configured to have access to - all of this makes me go crazy about MS idea of security.
There MUST be some easy way to "kill" unwanted user. RDPing to him is not an universal solution as it can be blocked by FW.

ormerodrutter: can you explain your idea little bit more please? Ok, let's say that the unwanted client will obtain his IP from DHCP, I will somehow delete active lease on the server and what now? What is the desired output you are pointing me to?

03.06.2008 at 01:41PM PST, ID: 21065090

nsx106052:

"ormerodrutter: can you explain your idea little bit more please? Ok, let's say that the unwanted client will obtain his IP from DHCP, I will somehow delete active lease on the server and what now? What is the desired output you are pointing me to?"

I think it you delete the lease the client computer will request another lease, which I don't think will solve the problem.

I think you might want to try a logon script. I attached a few links that may be useful.
http://www.eggheadcafe.com/forumarchives/scriptingVisualBasicscript/Aug2005/post23120599.asp

http://www.robvanderwoude.com/files/logoff_vbs.txt

Accepted Solution

20080236-EE-VQP-29 / EE_QW_2_20070628