Last week's article went over the steps of how to create a solution to determine the computer(s) a user logs into automatically. While this can be very useful information to have by itself, it also opens the door for other possibilities. One such possibility would be to have an automated process that forces a user to be automatically logged off of their computer(s) in the event that their domain account is disabled by an administrator.
The following will outline the solution to have a user's domain account be logged off of any computer(s) that they are currently logged into utilizing a scheduled PowerShell script. This process has been designed to work on Windows Server 2008 and later versions.
The first part of the PowerShell script should look similar to what was used in the Creating AD User Account Alerts article, as we will also need to get the most recent instance of Event ID 4725 which is caused from a domain account being disabled.
$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
With the most recent instance of this Event ID, we now need to parse out the domain account name that has been disabled and then store it into a usable variable.
[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]
Next, we need to get the corresponding Distinguished Name of this user account from Active Directory.
$DN = dsquery user -samid $UserName
$DN = $DN -replace '"',""
Using this information, we can now query the ManagedBy attribute within Active Directory in order to determine what computer(s) this particular user is currently logged into.
$ComputerDNs = dsquery * -filter "(&(objectCategory=computer)(managedBy=$DN))"
ForEach ($ComputerDN in $ComputerDNs)
{
$Computers+= ($ComputerDN -split ",")[0].substring(4) + ","
}
Due to how we have extracted this information, we now need to perform some cleanup of the output so that we have a usable Array containing the computer(s).
$Computers = $Computers.Split(",",[System.StringSplitOptions]::RemoveEmptyEntries)
With all of this information, we can now loop through the list of computers that this user is logged into and force their logoff.
ForEach ($Computer in $Computers)
{
IF (Test-Connection -ComputerName $Computer -Count 4 -Quiet)
{
(gwmi win32_operatingsystem -ComputerName $Computer).Win32Shutdown(4)
$SuccessList+= $Computer + "<br/>"
} ELSE
{
$FailList+= $Computer + "<br/>"
}
}
As a final touch, let's setup an E-Mail confirmation that will let yourself, and any other administrators, know what computer(s) this user has been logged off of, along with any that were unreachable (e.g. not connected to the network).
$Body = @"
The Domain User $UserName has been successfully logged out of the following computer(s): <br/>
$SuccessList <br/>
The Domain User $UserName has NOT been logged out of the following computer(s), please verify: <br/>
$FailList <br/>
"@
Send-MailMessage -to "[Your E-Mail Address or Distribution List]" -from "[UserID Running the Scheduled Task]" -subject "Disabled User Logged Out of Computer(s)" -body $Body -SmtpServer [SMTP Server IP] -BodyAsHTML
When it is all put together, your PowerShell script should look something like this.
$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]
$DN = dsquery user -samid $UserName
$DN = $DN -replace '"',""
$ComputerDNs = dsquery * -filter "(&(objectCategory=computer)(managedBy=$DN))"
ForEach ($ComputerDN in $ComputerDNs)
{
$Computers+= ($ComputerDN -split ",")[0].substring(4) + ","
}
$Computers = $Computers.Split(",",[System.StringSplitOptions]::RemoveEmptyEntries)
ForEach ($Computer in $Computers)
{
IF (Test-Connection -ComputerName $Computer -Count 4 -Quiet)
{
(gwmi win32_operatingsystem -ComputerName $Computer).Win32Shutdown(4)
$SuccessList+= $Computer + "<br/>"
} ELSE
{
$FailList+= $Computer + "<br/>"
}
}
$Body = @"
The Domain User $UserName has been successfully logged out of the following computer(s): <br/>
$SuccessList <br/>
The Domain User $UserName has NOT been logged out of the following computer(s), please verify: <br/>
$FailList <br/>
"@
Send-MailMessage -to "[Your E-Mail Address or Distribution List]" -from "[UserID Running the Scheduled Task]" -subject "Disabled User Logged Out of Computer(s)" -body $Body -SmtpServer [SMTP Server IP] -BodyAsHTML
Just like with the previous article on Creating AD User Account Alerts, you will now need to schedule this PowerShell script within Task Scheduler on your Active Directory server using a Domain Account with the appropriate access. In order for this script to execute immediately whenever a user account is created, and therefore log them out of any computer(s) they are logged into, you will need to configure the task to be triggered whenever Security Event ID 4725 occurs.
By creating this PowerShell script and scheduling it to run on your Active Directory server, you now have an automated solution in-place to logoff any disabled domain accounts from the computer(s) that they are logged into. You also have an E-Mail that will be sent to you whenever this script is triggered to notify you of the computer(s) that the domain account was logged off of, along with any that were unreachable at the time of execution. While this should not be used as a replacement for proper business practices for employee termination, it can be a helpful backup for instances where their domain account has been disabled before corporate security, human resources, or their direct manager have made it to their desk in order to escort them out.
The following will outline the solution to have a user's domain account be logged off of any computer(s) that they are currently logged into utilizing a scheduled PowerShell script. This process has been designed to work on Windows Server 2008 and later versions.
The first part of the PowerShell script should look similar to what was used in the Creating AD User Account Alerts article, as we will also need to get the most recent instance of Event ID 4725 which is caused from a domain account being disabled.
$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
With the most recent instance of this Event ID, we now need to parse out the domain account name that has been disabled and then store it into a usable variable.
[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]
Next, we need to get the corresponding Distinguished Name of this user account from Active Directory.
$DN = dsquery user -samid $UserName
$DN = $DN -replace '"',""
Using this information, we can now query the ManagedBy attribute within Active Directory in order to determine what computer(s) this particular user is currently logged into.
$ComputerDNs = dsquery * -filter "(&(objectCategory=computer)(managedBy=$DN))"
ForEach ($ComputerDN in $ComputerDNs)
{
$Computers+= ($ComputerDN -split ",")[0].substring(4) + ","
}
Due to how we have extracted this information, we now need to perform some cleanup of the output so that we have a usable Array containing the computer(s).
$Computers = $Computers.Split(",",[System.StringSplitOptions]::RemoveEmptyEntries)
With all of this information, we can now loop through the list of computers that this user is logged into and force their logoff.
ForEach ($Computer in $Computers)
{
IF (Test-Connection -ComputerName $Computer -Count 4 -Quiet)
{
(gwmi win32_operatingsystem -ComputerName $Computer).Win32Shutdown(4)
$SuccessList+= $Computer + "<br/>"
} ELSE
{
$FailList+= $Computer + "<br/>"
}
}
As a final touch, let's setup an E-Mail confirmation that will let yourself, and any other administrators, know what computer(s) this user has been logged off of, along with any that were unreachable (e.g. not connected to the network).
$Body = @"
The Domain User $UserName has been successfully logged out of the following computer(s): <br/>
$SuccessList <br/>
The Domain User $UserName has NOT been logged out of the following computer(s), please verify: <br/>
$FailList <br/>
"@
Send-MailMessage -to "[Your E-Mail Address or Distribution List]" -from "[UserID Running the Scheduled Task]" -subject "Disabled User Logged Out of Computer(s)" -body $Body -SmtpServer [SMTP Server IP] -BodyAsHTML
When it is all put together, your PowerShell script should look something like this.
$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]
$DN = dsquery user -samid $UserName
$DN = $DN -replace '"',""
$ComputerDNs = dsquery * -filter "(&(objectCategory=computer)(managedBy=$DN))"
ForEach ($ComputerDN in $ComputerDNs)
{
$Computers+= ($ComputerDN -split ",")[0].substring(4) + ","
}
$Computers = $Computers.Split(",",[System.StringSplitOptions]::RemoveEmptyEntries)
ForEach ($Computer in $Computers)
{
IF (Test-Connection -ComputerName $Computer -Count 4 -Quiet)
{
(gwmi win32_operatingsystem -ComputerName $Computer).Win32Shutdown(4)
$SuccessList+= $Computer + "<br/>"
} ELSE
{
$FailList+= $Computer + "<br/>"
}
}
$Body = @"
The Domain User $UserName has been successfully logged out of the following computer(s): <br/>
$SuccessList <br/>
The Domain User $UserName has NOT been logged out of the following computer(s), please verify: <br/>
$FailList <br/>
"@
Send-MailMessage -to "[Your E-Mail Address or Distribution List]" -from "[UserID Running the Scheduled Task]" -subject "Disabled User Logged Out of Computer(s)" -body $Body -SmtpServer [SMTP Server IP] -BodyAsHTML
Just like with the previous article on Creating AD User Account Alerts, you will now need to schedule this PowerShell script within Task Scheduler on your Active Directory server using a Domain Account with the appropriate access. In order for this script to execute immediately whenever a user account is created, and therefore log them out of any computer(s) they are logged into, you will need to configure the task to be triggered whenever Security Event ID 4725 occurs.
By creating this PowerShell script and scheduling it to run on your Active Directory server, you now have an automated solution in-place to logoff any disabled domain accounts from the computer(s) that they are logged into. You also have an E-Mail that will be sent to you whenever this script is triggered to notify you of the computer(s) that the domain account was logged off of, along with any that were unreachable at the time of execution. While this should not be used as a replacement for proper business practices for employee termination, it can be a helpful backup for instances where their domain account has been disabled before corporate security, human resources, or their direct manager have made it to their desk in order to escort them out.
0 comments:
Post a Comment