Get and log off users with CMD tools

    During your IT career you most probably had or will have the need to see what users are logged on a server and the need to log off a certain user or more. This task can be done in more ways than one. This post covers 2 command line tools that let you do this without a single click. These tools work from earlier versions of Windows server and client (I tested from Windows 7 and Windows Server 2008 R2) to the newest versions right now (Windows 10 and Windows Server 2016 TP4).

    The 2 programs used are:

  • QUSER for listing all the active log on sessions on a server
  • LOGOFF used to log off a user from a server

    Note: These 2 tools can be run on remote systems, not just on the current machine but it is important to remember that they use RPC for communication. Windows server 2008 R2 and Windows 7 have them enabled by default but from Windows 8/Windows Server 2012 they are disabled. You may have to use a combination of RPC and WinRM (Powershell Remoting) to make a complete solution.

    Note 2: I will be running these programs from Powershell even though they work also rom CMD.exe.

    Looking at QUSER

    Let’s take a look at the first tool on the list: QUSER. Use this to see all uers logged on a machine (local or remote) or to check if a specific user is logged on. The first thing I like to do when learning a new tool is to read the help. Do this by running:


QUSER /?

 

QUSER help

QUSER help

    From the help we can see that the command can be ran without any parameters in which case it will return all logged on users, some filtering parameters can be given like the username, session ID or session name to serach for and a remote server can be added if the desired info is not on the local machine. 

    Here is how an example output looks like:

QUSER example

QUSER example

    The first column lists the usernames that have active or idle sessions on the server. Since I ran the comand from the testu1 session it is marked as such with the “>” character.    

    Sessionname represents the name of each session. The rdp-tcp#<number> one represents an RDP instance. The other one is a console session (direct connection with mouse and keyboard). I some cases the console session is named also “console”. The ID column lists every unique identifier for the sessions. Tis can be used to disconnect a session of needed. The State mentions if a user is active or disconnected (user is not connected but the session state is saved). The Idle Time mentions the amount of inutes a session has been idle. The dot means that the sessions are active right in that moent. Logon Tie keeps the exact date and time a session was established.

    To see if a user has a session on a server just run the comand with the username (samaccountname) as a parameter. Let’s see hot to see if testu2 is logged on or not:


QUSER testu2

QUSER filter by username

QUSER filter by username

    When a user is in the Disconnected state no session name is displayed and the idle timer increases.

    To see the users connected to another machine just run the command with the /SERVER parameter. I will run this command from a server called SRV1 to another one called DC2 which has no user logged on at all.


QUSER /SERVER:DC1

QUSER remote

QUSER remote

    This is the message received when no user is logged on a machine.

    Now it is time to look at how to log off someone from a server.

    Looking at LOGOFF

    The second tool in the puzzle is for disconnecting a session. As done for the previous command, let’s see the help:


LOGOFF /?

LOGOFF help

LOGOFF help

    This tool can be run without any parameter which means it will execute the logon on the current user. Sessionname and SessionID are used to specify a certain session to end. I always use the SessionID parameter as the nae cannot be obtained reliably all the time.

    If I am logged on SRV1 with testu1 and want to log off testu2 I would just have to find out the session ID of that user and run the LOGOFF command against it.

    The server parameter is used to specify a remote machine on which the command should run. To get some output about what is happening just use /V.


QUSER

LOGOF 3

LOGOFF example

LOGOFF example

    Something a little more interesting is to get and log off users from remote machines. Here the process gets a little bit complicated as the 2 programs use RPC to communicate and Windows 8/Windows Server 2012 and up have RPC disabled in firewall. Windows 7 and Windows Server 2008 R2 have no problem accepting RPC trafic by default. You can run the tools from a Powershell remote session where RPC is not possible (I recommend to leave it blocked if you don’t need it).

    I will try to log off the administrator account from a test server named DC1. Since it is 2008 R2 RPC is allowed and the tools can be run directly.


QUSER administrator /SERVER:DC1

LOGOFF 1 /SERVER:DC1

LOGOFF remote

LOGOFF remote

    So this was a remote logoff from a 2012 R2 server to a 2008 R2 server. Performing the sae task to a 2012 R2 server would not work directly. I use these tools from a Powershell remote session. For example I will log off testu1 from SRV1 by connecting to the server remotely from DC1.


Enter-PSSesssion SRV1

QUSER

LOGOFF 1

LOGOFF and QUSER from PS remoting

LOGOFF and QUSER from PS remoting

    If you run the 2 tools directly on a serve that has RPC blocked you will receive an error like the one below:

RPC error

RPC error

    You can go a step further and build some powershell functions with pipeline support.

 

Leave a Comment

Your email address will not be published. Required fields are marked *