Lockout and force a user off machine (termination)
I am looking for a way to lockout a remote user and prevent them from logging in they take the machine offline. One way I have done this in the past is to request a remote screen share and I issue:
manage-bde –forcerecovery C:
I would issue this command via a remote command, but the firewall is on and I am unable to reach the machines. Which is why I was looking at using Kace.
Since the users don't know the bitlocker key, they are essentially locked off the machine. I am looking for a more stealthy way to handle this. It would be nice to have Kace take the user out of the admin group (if applicable), force a bitlocker recovery, log the user off quickly (so they can't cancel it), and shut down.
If this is not the best way to go about it, I am open to ideas.
Thanks
3 Comments
[ + ] Show comments
Answers (0)
Please log in to answer
Be the first to answer this question
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Deny log on ___ and add the user name in there.
I know that is scriptable but I can't think of the command at the top of my head. This will make it regardless of being an admin user or regular user from having access since local deny permissions take highest level over all other permissions. - nwonknu 7 years ago
http://stackoverflow.com/questions/31589221/vbs-script-to-remove-accounts-from-administrators-group
You should be able to run the above with your:
manage-bde –forcerecovery C:
and
Cmd.exe /c Shutdown /l /f (For Log Off)
Or
Cmd.exe /c Shutdown /s /f (For Shutdown)
I would put all the steps into a Kace Script and push it out that way - Desktop Jockey 7 years ago