Immediate Disable of Terminated Employee

J

John Liles

Guest
First off, apologies if this subject has been covered before, but I did a

search and couldn't find anything.

Our situation is this: an employee was terminated today and his/her user

account was disabled and password reset. In spite of this, the terminated

employee was able to send emails on the company Exchange email up to 30

minutes later. I've been asked to find a way to make disabling the user

account have the immediate effect of keeping them from sending emails or

doing anything else on the domain.

I know that disabling the user account will prevent the user from being able

to log on to the domain, but it appears that a disabled user who is already

logged on maintains some or all abilities to access resources such as email.

Is this expected behavior in Windows 2003 AD? If so, is there a way to

change this behavior? For example, is there a way to force a disabled user

account to be logged off of any computer he/she is logged onto on the domain?

For those who will make the very logical suggestion that the terminated user

be immediately escorted off the premises: I appreciate it, but that sensible

solution has already been rejected by management!

Thanks in advance for any tips.

--

JL

 
T

Tom [Pepper] Willett

Guest
That makes no sense whatsoever. The employee has been terminated, but

allowed to remain on the premises, yet no access to the network?

Bet the employee can beat the system...and, he has an incentive...he can't

get fired again.

: For those who will make the very logical suggestion that the terminated

user

: be immediately escorted off the premises: I appreciate it, but that

sensible

: solution has already been rejected by management!

:

: Thanks in advance for any tips.

: --

: JL

 
J

John Liles

Guest
You don't understand, it doesn't have to make sense! Don't you read Dilbert?

Heh heh!

--

JL

"Tom [Pepper] Willett" wrote:

<span style="color:blue">

> That makes no sense whatsoever. The employee has been terminated, but

> allowed to remain on the premises, yet no access to the network?

>

> Bet the employee can beat the system...and, he has an incentive...he can't

> get fired again.

>

>

> : For those who will make the very logical suggestion that the terminated

> user

> : be immediately escorted off the premises: I appreciate it, but that

> sensible

> : solution has already been rejected by management!

> :

> : Thanks in advance for any tips.

> : --

> : JL

>

>

> </span>

 
P

PA Bear [MS MVP]

Guest
> For those who will make the very logical suggestion that the terminated <span style="color:blue">

> user

> be immediately escorted off the premises: I appreciate it, but that

> sensible solution has already been rejected by management!</span>

Get another job, fast!

John Liles wrote:<span style="color:blue">

> First off, apologies if this subject has been covered before, but I did a

> search and couldn't find anything.

>

> Our situation is this: an employee was terminated today and his/her user

> account was disabled and password reset. In spite of this, the terminated

> employee was able to send emails on the company Exchange email up to 30

> minutes later. I've been asked to find a way to make disabling the user

> account have the immediate effect of keeping them from sending emails or

> doing anything else on the domain.

>

> I know that disabling the user account will prevent the user from being

> able

> to log on to the domain, but it appears that a disabled user who is

> already

> logged on maintains some or all abilities to access resources such as

> email.

> Is this expected behavior in Windows 2003 AD? If so, is there a way to

> change this behavior? For example, is there a way to force a disabled

> user

> account to be logged off of any computer he/she is logged onto on the

> domain?

>

> For those who will make the very logical suggestion that the terminated

> user

> be immediately escorted off the premises: I appreciate it, but that

> sensible solution has already been rejected by management!

>

> Thanks in advance for any tips. </span>

 
D

David H. Lipman

Guest
From: "PA Bear [MS MVP]" <PABearMVP@gmail.com>

<span style="color:blue"><span style="color:green">

>> For those who will make the very logical suggestion that the terminated

>> user

>> be immediately escorted off the premises: I appreciate it, but that

>> sensible solution has already been rejected by management!</span></span>

|

| Get another job, fast!

|

:)

A terminated employee NEEDS to be escorted out.

I hope the "management" has learned a lesson in physical security in this episode.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 
S

S. Pidgorny

Guest
John,

That was possible because disabling the account requires Active Directory

replication cycle to propagate throughout the organisation. I guess your

Exchange infrastructure is a different site to that where the account was

disabled.

There is no easy solution to this problem in case you have complicated

replication topology and cannot predict the site where the user will be

logging on from. Disabling the account at multiple sites simultaneously

might be an approach - easily scriptable, I think, too.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"John Liles" <JohnLiles@discussions.microsoft.com> wrote in message

news:9D5F8262-AAFB-4D4B-AF69-88C1F679F697@microsoft.com...<span style="color:blue">

> First off, apologies if this subject has been covered before, but I did a

> search and couldn't find anything.

>

> Our situation is this: an employee was terminated today and his/her user

> account was disabled and password reset. In spite of this, the terminated

> employee was able to send emails on the company Exchange email up to 30

> minutes later. I've been asked to find a way to make disabling the user

> account have the immediate effect of keeping them from sending emails or

> doing anything else on the domain.

>

> I know that disabling the user account will prevent the user from being

> able

> to log on to the domain, but it appears that a disabled user who is

> already

> logged on maintains some or all abilities to access resources such as

> email.

> Is this expected behavior in Windows 2003 AD? If so, is there a way to

> change this behavior? For example, is there a way to force a disabled

> user

> account to be logged off of any computer he/she is logged onto on the

> domain?

>

> For those who will make the very logical suggestion that the terminated

> user

> be immediately escorted off the premises: I appreciate it, but that

> sensible

> solution has already been rejected by management!

>

> Thanks in advance for any tips.

> --

> JL </span>

 
D

dav1dr4y@gmail.com

Guest
On Mar 14, 2:14 pm, John Liles <JohnLi...@discussions.microsoft.com>

wrote:<span style="color:blue">

> First off, apologies if this subject has been covered before, but I did a

> search and couldn't find anything.

>

> Our situation is this:  an employee was terminated today and his/her user

> account was disabled and password reset.  In spite of this, the terminated

> employee was able to send emails on the company Exchange email up to 30

> minutes later.  I've been asked to find a way to make disabling the user

> account have the immediate effect of keeping them from sending emails or

> doing anything else on the domain.

>

> I know that disabling the user account will prevent the user from being able

> to log on to the domain, but it appears that a disabled user who is already

> logged on maintains some or all abilities to access resources such as email.  

> Is this expected behavior in Windows 2003 AD?  If so, is there a way to

> change this behavior?  For example, is there a way to force a disabled user

> account to be logged off of any computer he/she is logged onto on the domain?

>

> For those who will make the very logical suggestion that the terminated user

> be immediately escorted off the premises:  I appreciate it, but that sensible

> solution has already been rejected by management!

>

> Thanks in advance for any tips.

> --

> JL</span>

If you also delete the Exchange mailbox when you disable the account

the user will immediately not be able to send any mail. He will get

"You do not have the permission to send the message on behalf of the

specified user."

Remember too, that the mailbox is really only disconnected at this

point. You can still connect it for forensic purposes if needed.

This only helps with email though. Access to file systems that are

already connected continues.

dray

 
S

S. Pidgorny

Guest
AD replication can cause the delay.

Plus, if the user has MAPI session open while the account is disabled, I

think it will continue.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

<dav1dr4y@gmail.com> wrote in message

news:41465770-2445-490e-b240-78f9a3fc447b@l17g2000pri.googlegroups.com...

On Mar 14, 2:14 pm, John Liles <JohnLi...@discussions.microsoft.com>

wrote:<span style="color:blue">

> First off, apologies if this subject has been covered before, but I did a

> search and couldn't find anything.

>

> Our situation is this: an employee was terminated today and his/her user

> account was disabled and password reset. In spite of this, the terminated

> employee was able to send emails on the company Exchange email up to 30

> minutes later. I've been asked to find a way to make disabling the user

> account have the immediate effect of keeping them from sending emails or

> doing anything else on the domain.

>

> I know that disabling the user account will prevent the user from being

> able

> to log on to the domain, but it appears that a disabled user who is

> already

> logged on maintains some or all abilities to access resources such as

> email.

> Is this expected behavior in Windows 2003 AD? If so, is there a way to

> change this behavior? For example, is there a way to force a disabled user

> account to be logged off of any computer he/she is logged onto on the

> domain?

>

> For those who will make the very logical suggestion that the terminated

> user

> be immediately escorted off the premises: I appreciate it, but that

> sensible

> solution has already been rejected by management!

>

> Thanks in advance for any tips.

> --

> JL</span>

If you also delete the Exchange mailbox when you disable the account

the user will immediately not be able to send any mail. He will get

"You do not have the permission to send the message on behalf of the

specified user."

Remember too, that the mailbox is really only disconnected at this

point. You can still connect it for forensic purposes if needed.

This only helps with email though. Access to file systems that are

already connected continues.

dray

 
You must log in or register to reply here.
Top Bottom