LITTLEBLACKDOG.COM

So the higher ups came to me yesterday with an odd request. They want a way to "at a moment's notice" lock a users workstation down and disable login. They say it's for those situations when somebody needs to get fired.... if that's the case why not just call the person out of their office and have someone else walk in and just lock the workstation, and then disable login in AD?

I think what they really want to do this is to catch people surfing the web, or other such things, when they should be working. In which case it would have been much easier to tell me that and we could do some sort of monitoring instead.

But, all things aside.... I know I can lock an account with Active Directory.... but is there a similarly easy way to log someone out of their workstation, or just simply lock the workstation remotely? Is this something I could do with PSTools maybe?

Posted: Thu Mar 06, 2008 8:23 am Post subject:

C:\Windows\System32\rundll32.exe user32.dll,LockWorkStation

Posted: Thu Mar 06, 2008 9:29 am Post subject:

psshutdown

-l = lock workstation
-o = log off

EEps · Posted: Thu Mar 06, 2008 9:52 am Post subject:

Download link... Wink Smile

Posted: Thu Mar 06, 2008 9:55 am Post subject:

BamZipPow wrote:
Download link...

Better download link... Wink Smile

Posted: Thu Mar 06, 2008 10:51 am Post subject:

Locking the workstation won't stop the user from unlocking it.

If you want to stop the user using that computer you're best off using the -o option (possibly combined with -f and -t 0) after setting a policy on the machine which inhibits interactive logons for that user account.

Posted: Thu Mar 06, 2008 12:35 pm Post subject:

T wrote:
Locking the workstation won't stop the user from unlocking it.

If you want to stop the user using that computer you're best off using the -o option (possibly combined with -f and -t 0) after setting a policy on the machine which inhibits interactive logons for that user account.

Yeah, I just discovered this on my own. -o does the trick. So basically, there's no way I'm going to be able to lock the computer down where the user can't do anything at all whatsoever without forcing a logoff and having any open programs get closed and possibly losing stuff that had not been saved?

I'm assuming after the initial login, when a station is locked it just verifies the password locally to unlock it? Is there a way to force it to poll the DC for an unlock? Although, I suppose doing something like this would prevent you from logging onto the comptuer at all in the event that a DC couldn't be contacted eh?

Posted: Thu Mar 06, 2008 1:15 pm Post subject:

I'm not sure how one could poll the DC when unlocking a workstation. I know from my own experience that, after changing my password, I could unlock existing sessions on other PCs with the old password.

One option which crossed my mind when Googling for disable keyboard remotely was using VNC or other remote-control software. It's possible to disable local input devices when a remote session is initiated.

Posted: Thu Mar 06, 2008 1:36 pm Post subject:

We've done some basic tricks in this regard, and yes, it's been asked before.

Remote shutdown after first changing the user's password works a treat.

Second trick, removing the machine from the domain first. Preserves what's on the C drive.

Generally, I think when they say lock the machine they mean kill the machine. When the guy looks up, there had better be executive level people looking at him, otherwise, they will come looking for you. This all should be choreographed.

Posted: Thu Mar 06, 2008 2:35 pm Post subject:

EdisonRex wrote:

Generally, I think when they say lock the machine they mean kill the machine. When the guy looks up, there had better be executive level people looking at him, otherwise, they will come looking for you. This all should be choreographed.

Oh yeah, definitely.... I made that abundantly clear because not 2 weeks after I started this job they put me in a bad situation that was similar. They had a guy they wanted to fire.... he worked in the field and never came into this office. So one day he shows up out of the blue and says he's dropping off his laptop for a "software update". I've never met this guy, no idea what's going on.... I'm just like "Uh .... yeah.... that update, right..... probably take a day or so" and as soon as he leaves I go looking for the boss to find out wtf is going on. He tells me just to hold on the laptop and if he calls back tell him there are complications and I'm still working on it.

In the end, they decided they weren't going to fire him, and told me to give him his laptop back. Then not 2 weeks later they did the same thing again without telling me, but actually fired him that time.

Originally the top 3 in the company wanted to be able to do this themselves, and I told them no... it went through me or it wasn't going to happen. I'm not giving admin access to the domain controller to 3 people who have no idea what they're doing.

As far as the method.... what I've determined to be best is to just disable the account on the DC, propagate it to the secondary DC, then psshutdown -of to force a logoff. When the user tries to log back in they get a message that the account is disabled. Ideally, before this happens they will have called the person in question into a "meeting" so they never see that message, and I'm going to make sure that is the case before I initiate the lockout.

I think what started this whole thing was a couple of months back they fired an employee and let him return to his office to collect his personal things, and didn't supervise it because they felt that it was happening on good terms. While he was in there he deleted a bunch of stuff from his laptop, and since he wasn't following proper procedures and keeping his project files on the network we lost a couple of months worth of work on the project he was working on. To compound the issue, I wasn't informed he was let go until 2 hours later. Guy could have logged in via VPN and done god knows what, he still had access to company email, etc.... not a good situation.

Posted: Thu Mar 06, 2008 2:49 pm Post subject:

I've spent the last 3 weeks in an internal IT infrastructure audit. The auditors have been very diligent in asking just these sorts of questions. My comment to my boss in the USA was "I don't mind the gloves but I wouldn't mind more lube". This subject was actually raised during the audit, and no, we don't have a procedure. It appears very few actually do, by their admission, and I won't get a point for not having one. But they were impressed that we are so integrated into the unwritten process, mainly because I think my management actually does trust us to do our job.

All you can do is make sure they tell you. And no, they really really should not be able to mess with your infrastructure. Let them have card access to your room, the auditors hate that too Smile

Posted: Thu Mar 06, 2008 2:58 pm Post subject:

EdisonRex wrote:
And no, they really really should not be able to mess with your infrastructure. Let them have card access to your room, the auditors hate that too

lol, IT from bigger companies would probably have a coronary if they walked in here. My server room doesn't even have a door on it, it's wide open. I think I have actually talked them into letting me move everything into the basement and locking that door so any joe blow that might be roaming around in here can't walk in and start messing with stuff.

But, this is a very small company, 20 people total... not a whole lot of visitors to the office. The boss (and when I say "the boss" I'm talking about the guy that owns the company) brings his dog to work with him. It's not a rare occurrence for us to shut the office down early and go out to a bar for drinks. Not your run of the mill type of place. I don't really face the same kinds of problems that you guys at the bigger places do. I would never really face an internal IT infrastructure audit, for example. Razz

Posted: Fri Mar 07, 2008 12:21 am Post subject:

GibsonSG wrote:
EdisonRex wrote:
And no, they really really should not be able to mess with your infrastructure. Let them have card access to your room, the auditors hate that too

lol, IT from bigger companies would probably have a coronary if they walked in here. My server room doesn't even have a door on it, it's wide open. I think I have actually talked them into letting me move everything into the basement and locking that door so any joe blow that might be roaming around in here can't walk in and start messing with stuff.

But, this is a very small company, 20 people total... not a whole lot of visitors to the office. The boss (and when I say "the boss" I'm talking about the guy that owns the company) brings his dog to work with him. It's not a rare occurrence for us to shut the office down early and go out to a bar for drinks. Not your run of the mill type of place. I don't really face the same kinds of problems that you guys at the bigger places do. I would never really face an internal IT infrastructure audit, for example.

This firing procedure seems a bit overkill in a place where everybody can't not know everybody else... You could just have the boss walk over, yank the power and say "you're fired" in his most authoritative voice.

Posted: Fri Mar 07, 2008 4:38 am Post subject:

I've found that having the boss with a couple people from security come over and ask them to lock their workstation and come with them to work better. Also, having them escorted the entire time.

Why would you use an IT measure that is not foolproof for a problem that is not IT related?

Posted: Fri Mar 07, 2008 8:58 am Post subject:

Another thing I liked about Netware and Zenwork. YOu could remote into a machine and lock them out.

Joeware has lots of neat utilities. I don't know if any of them will help. Can't you remotely change the local password then lock the machine?
http://www.joeware.net/freetools/

I guess I would go the route of just firing them on Friday. Lock out there accounts Thursday after they leave work and when they come in Friday just let them go.