Avatar of janhoedt
janhoedt
 asked on

Powershell script to logoff user from all computers he is logged on to in domain (query domain controllers)

Hi,

I'm looking for a powershellscript which checks for a certain user AD user, then logs them off from all computers in the domain.
You can query domaincontroller logs for a user, then find the computer and execute a logoff. Why needed? His account is locked and he logged on to several devices, which locks the account again and again.
Had some kind of script,  don't find it anymore.

Thanks!
PowershellActive Directory

Avatar of undefined
Last Comment
janhoedt

8/22/2022 - Mon
janhoedt

ASKER

Thanks, that's the easy part, the logoff.
Specifically need the part where I can see the computers to which a user is logged on.

janhoedt

ASKER
janhoedt

ASKER
Import-Module ActiveDirectory
$UserName = Read-Host "Please enter username"
#Get main DC
Write-Output "Getting info for logged on user $Username"
$PDC = (Get-ADDomainController -Filter * | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
#Get user info
$UserInfo = Get-ADUser -Identity $UserName
#Search PDC for lockout events with ID 4740
$LockedOutEvents = Get-WinEvent -ComputerName $PDC.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
#Parse and filter out lockout events
Write-Output "Done"
Write-Output "Showing results"
$Overview = Foreach($Event in $LockedOutEvents)
  {
    If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
    {
      $Event | Select-Object -Property @(
        @{Label = 'User'; Expression = {$_.Properties[0].Value}}
        @{Label = 'DomainController'; Expression = {$_.MachineName}}
        @{Label = 'EventId'; Expression = {$_.Id}}
        @{Label = 'LockoutTimeStamp'; Expression = {$_.TimeCreated}}
        @{Label = 'Message'; Expression = {$_.Message -split "`r" | Select -First 1}}
        @{Label = 'LockoutSource'; Expression = {$_.Properties[1].Value}}
      )
    }}
$Overview | Out-GridView
Write-Output 'Done'
$ComputersToLogoff = $Overview.LockoutSource | select -Unique
$Confirm = Read-Host "Are you sure you want to logoff all sessions for username $username ? Y/N"
if ($confirm -eq 'Y'){foreach ($Computer in $ComputersToLogoff) {
    $sessionId = ((quser /server:$Computer | Where-Object { $_ -match $userName }) -split ' +')[2]
    if ($sessionId){
    Write-Host "Logging of $UserName with $SessionId from $Computer"
    logoff $sessionId /server:$Computer
    Write-Host "Checking if logoff was succesfull"
    }
    else {Write-Host "No sessionid found for $Username on $Computer"
}
}
}
else {Write-Output "Logoff Cancelled"}


I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
janhoedt

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question