can I logoff all workstations from a DC?

[josh0227]

Is it possible for me to logoff (kick off) all of the workstations on a domain, either using a GPO or something else? I know that you can set a logon and logoff hour time, but that is tedious to do it for every user. Any ideas? We are trying to do server maintenence with no network activity.

thanks.

 

[PScottC]

Create a text list of all your workstations and run a script to shut them all down or log them off. Here's a simple batch file that will read a text file called ws.txt... (This will also use the PSTools available from sysinternals.com)

for /F %%a in (ws.txt) do (
    psexec \\%%a shutdown -l -f
    )

The shutdown command is available on all Windows XP workstations. If you are dealing with 2000 workstations you will have to use another command.

The point of this is to illustrate how to use the FOR command to parse a text file and execute a command.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[josh0227]

I'm a little confused as to where I insert the computer names. Do I run the .bat file from the server, or implement it through a gpo?

 

[PScottC]

You would create a list of all your workstations and list them in a text file. The FOR command opens the text file and reads the hostnames line by line and puts them into a variable (%%a). Then a command is executed using the hostname of the workstation. The FOR command is a loop and will cycle until all iterations are done.

Which command you use to log the station off is up to you as long as it boots the workstation off the network. Depending on which OS is running on the client, different commands may be needed. My example would only work on Windows XP systems.

When you are ready, you execute this batch file from a server or workstation of your choice (logged in with domain admin rights).

I hope this helps.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[josh0227]

for the computer name, do I want to use the real name or the fqdn? Also, the psexec is not being recognized as a command in dos. Any ideas?

 

[Goner05]

You need to download the psecec from sysinternals.com and extract it to the same folder that you are running this batch command from.

I just use the computer name in the text file (eg. computer01)

Goner05

 

[Goner05]

oops psexec ont psecec. I'll learn how to spell one of these days.

 

[PScottC]

As Goner mentioned, you have to download the PSTools from the internet.

The reason I suggest PSEXEC is because the shutdown command on XP doesn't support the -l switch with the -m switch. What this means is that you can't cause the station to "logoff" by remote. You can shutdown the station by remote, you just can't boot the user off the console. The psexec solution bypasses this by executing the command on the local machine.

If you want to fully shut down the workstation, you can do that instead...

shutdown -m \\stationname -f

In the FOR command you would substitute %%a for stationname.

I'm trying to teach you to fish, not just give you a fish.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[Dante808]

If all the users are connected to a seprate network simply physically disconnect them.

If not, you could disallow thier group to log onto the domain through GPO, then reboot the server without notice. Both of these methods means possible data loss though, and probably a bad idea.

The best solution would be to make users aware by creating a login message warning them of the scheduled TIME and date of the maintenence in advanced. Send out netsend messages every 5 minutes to every workstation 30 minutes prior to kicking them off. It would be then ok I guess to kick them, since they should know. If you use the shutdown command as explained, they will have a notice and countdown to save anywork they are doing. But of course if they are not looking at the time they still lose work. They can then reboot and use thier computers, but not the domain.

All of this can be done with simple batch files and the scheduling agent. Cept maybe the GPO part.

 

[Dante808]

BTW you still may get network activity if you have alot of users and mostly alot of people who like rebooting and requesting access from the server.

Phisically disconnecting is the neatest solution in this case, if at all possible.

 

[josh0227]

I downloaded pstools and put the psexec file in the folder with the other two files. I executed the .bat file which referred to the .txt file with my test computer name in it. When I ran the file, this is the message that I got:

Couldn't access (my computer name)
the network location cannot be reached. For information about network troubleshooting, see windows help.
Make suer that file and print sharing services are enabled on (my computer name)

what should I do now?

 

[PScottC]

Are the machines running XP SP-2? If the firewall is enabled you would get a message like that.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[NetIntruder]

you are trying to do server maintenance with no network activity... you can look at the open files on the server in question to see if anyone has anything open and close connections to that specific server from there. Change the local security policy to deny connections from all but administrator and when you're done change the policy back.

Just a thought... perhaps not the most efficient method, but effective..

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"