Remote lock workstation and change user's password

  • 1 October 2021
  • 2 replies
  • 74 views

Userlevel 3

This worklet changes the local user’s password and logs them out of the computer. This is useful in instances where there is security risk or an abrupt/unexpected termination.


Evaluation

exit 1


Remediation


#Credit for parts of this script go to Progress

$logoutReset = {
#Set the username that should have its password changed and sessions logged off on the targeted workstations
$user = 'jeff'
$password = 'y0urn3wPa$$woRd_heR3'

#
#Comment out the line below if you do not need to change the password locally but prefer to change it in Active Directory
net user $user $password

$ErrorActionPreference = 'Stop'
$quser = "C:\Windows\Sysnative\quser.exe"
$logoff = "C:\Windows\Sysnative\logoff.exe"

try {
## Find all sessions matching the specified username
$sessions = & $quser | Where-Object {$_ -match $user}
## Parse the session IDs from the output
$sessionIds = ($sessions -split ' +')[2]

## Loop through each session ID and pass each to the logoff command
$sessionIds | ForEach-Object {
Write-Host "Logging off session id [$($_)]..."
& $logoff $_
}
} catch {
if ($_.Exception.Message -match 'No user exists') {
Write-Host "The user is not currently logged on."
} else {
throw $_.Exception.Message
}
}
return $user
}

& $logoutReset
Write-Output "User" $user "password changed and workstation locked."

2 replies

Userlevel 3

So I needed something like this but wanted to add a bit to it. This version will:

Disable ALL local user accounts on the workstation

Clear cached credentials on the workstation

Reboot

As long as the terminated employee account is disabled, the machine is useless to them until it is brought back to the office and then someone with a valid user account can access it when connected to the network. 

# Using scriptblock to relaunch in native environment for 64bit cause none of this works in 32bit
$scriptblock = {
#Disable all local users
Get-LocalUser | Disable-LocalUser
#Clear all domain cached credentials
# Set variables to indicate value and key to set
$RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$Name = "CachedLogonsCount"
$Value = "0"
Set-ItemProperty -Path $RegistryPath -Name $Name -Value $Value
#Reboot
Restart-Computer -Force
}
$LockDown = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

Hope this helps yall

I have a similar script that I use in Incident Response with Crowdstrike. But to improve a bit the security of this operation I set a random password:

$newPass=[System.Web.Security.Membership]::GeneratePassword(16,2)

Then the legitimate user changes it or the Domain Admin once the incident is finished.

Reply