Remote lock workstation and change user's password

3 years ago
October 1, 2021
6 replies
1335 views

Stambo-Automox
Automox Employee
7 replies

This worklet changes the local user’s password and logs them out of the computer. This is useful in instances where there is security risk or an abrupt/unexpected termination.

Evaluation
exit 1

Remediation

#Credit for parts of this script go to Progress

$logoutReset = {
    #Set the username that should have its password changed and sessions logged off on the targeted workstations
     $user = 'jeff'
     $password = 'y0urn3wPa$$woRd_heR3'
     
     #
     #Comment out the line below if you do not need to change the password locally but prefer to change it in Active Directory
     net user $user $password
     
     $ErrorActionPreference = 'Stop'
     $quser = "C:\Windows\Sysnative\quser.exe"
     $logoff = "C:\Windows\Sysnative\logoff.exe"

     try {
         ## Find all sessions matching the specified username
         $sessions = & $quser | Where-Object {$_ -match $user}
         ## Parse the session IDs from the output
         $sessionIds = ($sessions -split ' +')[2]

         ## Loop through each session ID and pass each to the logoff command
         $sessionIds | ForEach-Object {
             Write-Host "Logging off session id [$($_)]..."
             & $logoff $_
         }
     } catch {
         if ($_.Exception.Message -match 'No user exists') {
             Write-Host "The user is not currently logged on."
         } else {
             throw $_.Exception.Message
         }
     }
     return $user
 }
 
 & $logoutReset
 Write-Output "User" $user "password changed and workstation locked."

David_Mitchell
Novice
31 replies
3 years ago
January 7, 2022

So I needed something like this but wanted to add a bit to it. This version will:

Disable ALL local user accounts on the workstation

Clear cached credentials on the workstation

Reboot

As long as the terminated employee account is disabled, the machine is useless to them until it is brought back to the office and then someone with a valid user account can access it when connected to the network.

# Using scriptblock to relaunch in native environment for 64bit cause none of this works in 32bit
$scriptblock = {
#Disable all local users
Get-LocalUser | Disable-LocalUser
#Clear all domain cached credentials
# Set variables to indicate value and key to set
$RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$Name         = "CachedLogonsCount"
$Value        = "0"
Set-ItemProperty -Path $RegistryPath -Name $Name -Value $Value 
#Reboot
Restart-Computer -Force
}
$LockDown = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

Hope this helps yall

amj
Channel Partner
9 replies
3 years ago
January 13, 2022

I have a similar script that I use in Incident Response with Crowdstrike. But to improve a bit the security of this operation I set a random password:

$newPass=[System.Web.Security.Membership]::GeneratePassword(16,2)

Then the legitimate user changes it or the Domain Admin once the incident is finished.

cinguva
Rookie
1 reply
2 years ago
February 6, 2023

Is there a worklet to lock a linux device?

ebotsford
Rookie
1 reply
2 years ago
February 13, 2023

If you aren’t using AD would you just leave this portion out? Or leave it in but don’t edit it?

Might be a dumb question, but Im a newbie 😬

I figured this out! :D Carry on lol

slammert
Novice
19 replies
1 year ago
February 26, 2024

cinguva wrote:

Is there a worklet to lock a linux device?

This will disable all linux accouts except root.

#!/bin/bash

# Check if the script is being run as root
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi

# Backup the original passwd file
cp /etc/passwd /etc/passwd.bak

# Iterate over each line in passwd file
while IFS=: read -r username _; do
# Disable all users except root
if [ "$username" != "root" ]; then
usermod --lock "$username"
echo "User $username disabled."
fi
done < /etc/passwd

echo "All non-root users disabled."

FerOz
Novice
5 replies
1 year ago
March 19, 2024

This is what I used on a Mac (based on the Slammert’s script) and it was successful

#!/bin/bash

# Check if the script is being run as root

if [[ $EUID -ne 0 ]]; then

echo "This script must be run as root"

exit 1

# Backup the original passwd file

cp /etc/passwd /etc/passwd.bak

# Iterate over each line in passwd file

while IFS=: read -r username _; do

# Disable all users except root

if [ "$username" != "root" ]; then

dscl . -create "/Users/$username" UserShell /usr/bin/false

echo "User $username disabled."

done < /etc/passwd

echo "All non-root users disabled."

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Top Community Worklets

Delete cashed credentials on Macicon

Create Local User Account & Password (Non Domain Joined Machines)

Security Wrap-Up (April 13th, 2021)

Worklet: (macOS) enforce password policy for all users and not for exempt users

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings