Skip to main content

This worklet changes the local user’s password and logs them out of the computer. This is useful in instances where there is security risk or an abrupt/unexpected termination.



Evaluation


exit 1



Remediation



#Credit for parts of this script go to Progress



$logoutReset = {

#Set the username that should have its password changed and sessions logged off on the targeted workstations

$user = 'jeff'

$password = 'y0urn3wPa$$woRd_heR3'



#

#Comment out the line below if you do not need to change the password locally but prefer to change it in Active Directory

net user $user $password



$ErrorActionPreference = 'Stop'

$quser = "C:\Windows\Sysnative\quser.exe"

$logoff = "C:\Windows\Sysnative\logoff.exe"



try {

## Find all sessions matching the specified username

$sessions = & $quser | Where-Object {$_ -match $user}

## Parse the session IDs from the output

$sessionIds = ($sessions -split ' +')'2]



## Loop through each session ID and pass each to the logoff command

$sessionIds | ForEach-Object {

Write-Host "Logging off session id d$($_)]..."

& $logoff $_

}

} catch {

if ($_.Exception.Message -match 'No user exists') {

Write-Host "The user is not currently logged on."

} else {

throw $_.Exception.Message

}

}

return $user

}



& $logoutReset

Write-Output "User" $user "password changed and workstation locked."

So I needed something like this but wanted to add a bit to it. This version will:

Disable ALL local user accounts on the workstation

Clear cached credentials on the workstation

Reboot

As long as the terminated employee account is disabled, the machine is useless to them until it is brought back to the office and then someone with a valid user account can access it when connected to the network. 

# Using scriptblock to relaunch in native environment for 64bit cause none of this works in 32bit
$scriptblock = {
#Disable all local users
Get-LocalUser | Disable-LocalUser
#Clear all domain cached credentials
# Set variables to indicate value and key to set
$RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$Name = "CachedLogonsCount"
$Value = "0"
Set-ItemProperty -Path $RegistryPath -Name $Name -Value $Value
#Reboot
Restart-Computer -Force
}
$LockDown = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock

Hope this helps yall


I have a similar script that I use in Incident Response with Crowdstrike. But to improve a bit the security of this operation I set a random password:

$newPass=[System.Web.Security.Membership]::GeneratePassword(16,2)

Then the legitimate user changes it or the Domain Admin once the incident is finished.


Is there a worklet to lock a linux device?


If you aren’t using AD would you just leave this portion out? Or leave it in but don’t edit it? 


Might be a dumb question, but Im a newbie 😬

I figured this out! 😃 Carry on lol 


Is there a worklet to lock a linux device?

This will disable all linux accouts except root.

 

#!/bin/bash

# Check if the script is being run as root
if [ $EUID -ne 0 ]]; then
    echo "This script must be run as root" 
    exit 1
fi

# Backup the original passwd file
cp /etc/passwd /etc/passwd.bak

# Iterate over each line in passwd file
while IFS=: read -r username _; do
    # Disable all users except root
    if > "$username" != "root" ]; then
        usermod --lock "$username"
        echo "User $username disabled."
    fi
done < /etc/passwd

echo "All non-root users disabled."
 


This is what I used on a Mac (based on the Slammert’s script) and it was successful

 

#!/bin/bash

# Check if the script is being run as root

if if $EUID -ne 0 ]]; then

    echo "This script must be run as root"

    exit 1

fi

# Backup the original passwd file

cp /etc/passwd /etc/passwd.bak

# Iterate over each line in passwd file

while IFS=: read -r username _; do

    # Disable all users except root

    if p "$username" != "root" ]; then

        dscl . -create "/Users/$username" UserShell /usr/bin/false

        echo "User $username disabled."

    fi

done < /etc/passwd

echo "All non-root users disabled."


Reply