User forced Logoff remotely

[Technical Guy]

I'm a MCT and i have a problem in a classroom
A student among 12 is anoying all the class.
Someone, i don't know why nor how, is logging off users remotely

A student is doing a lab and suddenly the session logs off withou chance to
react
I think a student found a way to forcilly log off users remotely, but how?

Maybe he's using a script, maybe a non-native application (Is a Windows 2003
Official Curriculum COurse)

He appears to use a script or something to remotely log off users
(logoff.exe can be user remotely?)

This events become more frequent after a GPO class and after the Remote
Desktops demonstration

 

[John Wunderlich]

A student is doing a lab and suddenly the session logs off withou
chance to react I think a student found a way to forcilly log off
users remotely, but how?

Two ways that I know of:

The shutdown.exe program provided with the MS Resource Kit and
the "PsShutdown.exe" program provided as part of the freeware PSTools
package from sysinternals.
<http://www.sysinternals.com/ntw2k/freeware/pstools.shtml>

To do this does require a valid login to the target computer with
priviledges.

HTH,
John

 

[Technical Guy]

Yes, i'm tryinf Perfect Logger to capture keystrokes and do screenshots
based on magic words do "catch" de guy

 

[Ken B]

Do let us know what you find, if you will.. .just in case we run into a
similar problem down the road

Good luck!

Ken

 

[Matt]

Hi,

this can be done in MMC (Microsoft Management Console).
Computer Management and right click the highest level in
the tree (which should be labeled Computer Management
(Local) or maybe different depending on your config).
Enter the CPU name. Right click the computer name in the
tree list and select properties -> Advanced -> Start up
and recovery -> Shut down and set a few little settings
and down goes the remote computer.

What the problem is, the user remotely shutting down the
computer must have a pretty high level of access on that
computer or on the entire domain.

There is possibly a way to block it under the Local
Security Policy. Somewhere there is a "Allow system to be
remotely shutdown" or something (can't recall off the top
of my head, and I'm not logged on as an admin atm) and you
could have a look at that and possibly set which groups of
users should really have permission to shut down the
system remotely.

Hope this helps

 

[Technical Guy]

Is a classroom, all students are Domain Admins
The user is doing something withour phisycal presence, but the AT/Scheduled
Task is not even active
He's Logging Off the user, not shutting down

 

[Ken B]

Pretty clever, Matt... I never looked in there

Amazing what kids'll find out if they have the time

Ken

 

[Matt]

Well if they are all Domain Admins, that is your problem.
I think if they are power users, they then won't have
permission for remote shut down.

But then that depends what access levels they need. But as
I said above, look in Local Security Policy or whatever it
is.

I know he's logging them off, but the way I found out you
can shut down, log off, reboot or "power down" the remote
user.

 

[Technical Guy]

Kids? They're average 24 years-old MCSA/MCSE students....
I'm now using a software called perfect logging to capture keyborad
keystrokes and screenshots do "catch" the culprit