Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as the process below demonstrates.
May 29, 2019 Sharing your screen remotely is a convenient way to access another computer as if you’re sitting in front of it. OS X and Windows have this ability built right into them, meaning you can easily share your Mac’s screen with Windows PCs, and vice versa. If you run a mixed network, it’s most likely a combination of Macs and Windows PCs.
The most intuitive way to access and manage your remote Mac is Screen Sharing, which streams the desktop view from your remote computer to the Mac you’re currently using. While the performance.
First, change the target account’s AD password. This will prevent them from logging back in
Next, target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: PsExec.exe -d -u Administrator -i cmd.exe /c “C:windowssystem32rundll32.exe user32.dll, LockWorkStation”
Now it’s time to sieze the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.
With Screen Time you can also create a dedicated passcode to secure settings, so only you can extend time or make changes. Make sure to choose a passcode that's different from the passcode you use to unlock your device. To change or turn off the passcode on your child's device, go to Settings Screen Time, and tap your child's name. Lock or unlock a screen. You can lock a client computer’s screen, and then unlock it again. You can continue to perform certain administrative functions with computers using Remote Desktop after you’ve locked their screens. When locked, a computer doesn’t accept keyboard or mouse input.
This concept can be expanded further, as Darryl Griffiths pointed out to me on LinkedIn. Coupling the initial idea of locking the workstation with AD Group Policies to modify the Power settings on the target workstation, one can even prevent the machine from shutting down, e.g. when the power button is clicked or the laptop lid is turned off. The Power Management in Windows normally allows this type of overriding the functionality of the power button, and more can be read about this concept in the following TechNet article: https://blogs.technet.microsoft.com/askds/2008/03/21/managing-power-with-group-policy-part-3-of-3/