Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-17 22:18:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 44
fleet/scripts/mdm/windows/windows-lock.ps1
Dante Catalfamo 5413f8d2b2
Windows locking script was missing from embedded script (#20427) 
As part of this PR #20224, I added the new script to one location but
didn't notice that it wasn't included in the embedded scripts directory.

This also adds an unlock script that will reset the registry values to
their original settings
2024-07-18 11:50:12 -04:00

47 lines
2.2 KiB
PowerShell
Raw Blame History

# PowerShell script to log off all non-administrative users and disable their accounts
# Log off all non-administrative users
$loggedOffUsers = @{}
Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false } | ForEach-Object {
$username = $_.LocalPath.Split('\')[-1]
if ($username -ne "Administrator" -and $username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) {
try {
$userSessions = query user | Where-Object { $_ -match "\b$username\b" }
foreach ($session in $userSessions) {
if ($session -match "\s+(\d+)\s+Disc\s+") {
# Disconnected sessions can't be logged off
continue
}
elseif ($session -match "\s+(\d+)\s+") {
$sessionID = $matches[1]
logoff $sessionID
$loggedOffUsers[$username] = $true
Write-Host "Logged out user: $username"
}
}
} catch {
Write-Host "Could not log off user: $username. Error: $($_.Exception.Message)"
}
}
}
# Disable all non-administrative local user accounts
Get-LocalUser | Where-Object { $_.Enabled -eq $true -and $_.Name -ne "Administrator" } | ForEach-Object {
$username = $_.Name
Disable-LocalUser -Name $username
Write-Host "Disabled account for $username"
}
# Disable additional AD logins
New-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\Settings\AllowSignInOptions" -Name 'value' -Value 3 -PropertyType DWORD -Force
# Disable cached logins for AD/Azure/Entra accounts
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name 'CachedLogonsCount' -Value 0 -PropertyType String -Force
Write-Host "All local non-administrative users have been logged out and their accounts disabled."
Write-Host "Logging in with other Microsoft accounts has been disabled"
Write-Host "Cached Logins have been disabled, disable the MDM-Enroled account to prevent further logins"
# Shutdown computer in 15 seconds, after command has returned to fleet
Write-Host "Shutting down in 15 seconds"
shutdown /s /f /t 15
Reference in a new issue View git blame Copy permalink