Link to home
Start Free TrialLog in
Avatar of martin_babarik
martin_babarikFlag for Czechia

asked on

How to forcily disconnect user from Active Directory?

I was wondering if someone knows how to forcily disconnect / logoff some user from Active Directory while he is logged on.
I experimented a lot with log on hours, forced logoff when logon hours expire, shooting down client services, but nothing works the way I need. Once the user is logged on, even if I delete his account, he is still able to access the domain, domain shares, modify files here, anything. I guess it's because of Kerberos ticket lifetime.
So the question is: how to make some unwanted user logoff from domain - I'd preffer some official way.
Thank you very much in advance
Avatar of ormerodrutter
Flag of United Kingdom of Great Britain and Northern Ireland image

Are you using DHCP? Any chance you can remove the allocated IP address?
You could enable RDP and that user's PC, then when you want to log them off you connect to the PC and manually log them off.  If it's past the login time, they won't be able to log back in until the next day.
I would try issuing the commands to force the user to log off or shut down remotely.

After that i would disable the account.  If you don't want them to log back on.  When you set the schedule for log on times that should be enforced by group policy.  I would check to make sure that policy is being applied.  

Also do you have more than one DC?  If so you might want to force group policy to replicate the changes.  
Avatar of martin_babarik


Thank you for all replies.
This problem is rather theoreticall as I'm just teaching one Windows 2003 server and we felt into deep and thorough discussion what would be the best way to achieve this goal. The desired action we'd like to do is that user who is currently logged on on his desktop will probably see some warning message and then he will be logged off from the computer without a possibility to affect it or resist somehow.
As I'm thinking about it I don't see even theoretical solution of this problem as I can't imagine any way how to force some client service to perform logoff.
So far the best solution in case of quick, dirty and forced remote logoff seems to be remotelly kill the lsass.exe process on client, but this can be blocked by firewall settings.
I was just assumning there is some "official" possibility in Active Directory - for example when you will find out that one of your 10 000 AD active users is a hacker - how to shoot him off? I can disable his account, delete the account, but the user is still considered to be active, until his kerberos ticket expires (which can be too long and give him enough time to cause a damage or steal data).
nsx106052: thank you for your idea, it sounds promisy, but unfortunatelly it's not possible to combine the "logoff" switch with the "remote machine name", so it can be used only locally - that' pity, otherwise it would be the best solution.
Let's say that I have only 1 DC. Whatever account restricitions i set, as I said before even delete the user account, then I even use gpupdate /force on the client I want to disconnect - but the client easily updates the GPO, can continue to work and although he's deleted, he can happily create files in shared folders on the server, access everythin his account has been configured to have access to - all of this makes me go crazy about MS idea of security.
There MUST be some easy way to "kill" unwanted user. RDPing to him is not an universal solution as it can be blocked by FW.

ormerodrutter: can you explain your idea little bit more please? Ok, let's say that the unwanted client will obtain his IP from DHCP, I will somehow delete active lease on the server and what now? What is the desired output you are pointing me to?
Avatar of nsx106052
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you very much, the VBScript using WMI seems to be correct solution.