[Dshield] Force Remote Windows User Lock-Out/Disable

[BGaudreault Brian]

Hello,

 

Not sure if this question is appropriate for this group (the group says
it's good for IT Security discussions).

 

I'm trying to determine the best way to force a remote Windows user to
be locked-out/disabled from their computer at a specific time.

 

Ideally the technique should work when they aren't connected to the
corporate network and it would have the immediate effect of preventing
the person from interacting with a logged-in session.  The computer does
not need to be turned off or rebooted, but the person should not be able
to logon again using a local account or cached account.  Any
suggestions?  I'd even take suggestions on special agents that require
you to be connected to the corporate network.

 

BTW, my best scenario so far is to schedule a registry change at the
time we need to lock out the cached user account on the computer.  But
for the registry value to take effect, you have to reboot the computer
and the user could still log into to a local user account if they had
one.  The registry value is HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount (REG_SZ) and set it to '0'.
We would of course then change their domain account password and/or
disable their account in case they tried to reconnect to the domain.

 

Brian