Guest John Liles Posted March 14, 2008 Posted March 14, 2008 First off, apologies if this subject has been covered before, but I did a search and couldn't find anything. Our situation is this: an employee was terminated today and his/her user account was disabled and password reset. In spite of this, the terminated employee was able to send emails on the company Exchange email up to 30 minutes later. I've been asked to find a way to make disabling the user account have the immediate effect of keeping them from sending emails or doing anything else on the domain. I know that disabling the user account will prevent the user from being able to log on to the domain, but it appears that a disabled user who is already logged on maintains some or all abilities to access resources such as email. Is this expected behavior in Windows 2003 AD? If so, is there a way to change this behavior? For example, is there a way to force a disabled user account to be logged off of any computer he/she is logged onto on the domain? For those who will make the very logical suggestion that the terminated user be immediately escorted off the premises: I appreciate it, but that sensible solution has already been rejected by management! Thanks in advance for any tips. -- JL Quote
Guest Tom [Pepper] Willett Posted March 14, 2008 Posted March 14, 2008 That makes no sense whatsoever. The employee has been terminated, but allowed to remain on the premises, yet no access to the network? Bet the employee can beat the system...and, he has an incentive...he can't get fired again. : For those who will make the very logical suggestion that the terminated user : be immediately escorted off the premises: I appreciate it, but that sensible : solution has already been rejected by management! : : Thanks in advance for any tips. : -- : JL Quote
Guest John Liles Posted March 14, 2008 Posted March 14, 2008 You don't understand, it doesn't have to make sense! Don't you read Dilbert? Heh heh! -- JL "Tom [Pepper] Willett" wrote: <span style="color:blue"> > That makes no sense whatsoever. The employee has been terminated, but > allowed to remain on the premises, yet no access to the network? > > Bet the employee can beat the system...and, he has an incentive...he can't > get fired again. > > > : For those who will make the very logical suggestion that the terminated > user > : be immediately escorted off the premises: I appreciate it, but that > sensible > : solution has already been rejected by management! > : > : Thanks in advance for any tips. > : -- > : JL > > > </span> Quote
Guest PA Bear [MS MVP] Posted March 14, 2008 Posted March 14, 2008 > For those who will make the very logical suggestion that the terminated <span style="color:blue"> > user > be immediately escorted off the premises: I appreciate it, but that > sensible solution has already been rejected by management!</span> Get another job, fast! John Liles wrote:<span style="color:blue"> > First off, apologies if this subject has been covered before, but I did a > search and couldn't find anything. > > Our situation is this: an employee was terminated today and his/her user > account was disabled and password reset. In spite of this, the terminated > employee was able to send emails on the company Exchange email up to 30 > minutes later. I've been asked to find a way to make disabling the user > account have the immediate effect of keeping them from sending emails or > doing anything else on the domain. > > I know that disabling the user account will prevent the user from being > able > to log on to the domain, but it appears that a disabled user who is > already > logged on maintains some or all abilities to access resources such as > email. > Is this expected behavior in Windows 2003 AD? If so, is there a way to > change this behavior? For example, is there a way to force a disabled > user > account to be logged off of any computer he/she is logged onto on the > domain? > > For those who will make the very logical suggestion that the terminated > user > be immediately escorted off the premises: I appreciate it, but that > sensible solution has already been rejected by management! > > Thanks in advance for any tips. </span> Quote
Guest David H. Lipman Posted March 14, 2008 Posted March 14, 2008 From: "PA Bear [MS MVP]" <PABearMVP@gmail.com> <span style="color:blue"><span style="color:green"> >> For those who will make the very logical suggestion that the terminated >> user >> be immediately escorted off the premises: I appreciate it, but that >> sensible solution has already been rejected by management!</span></span> | | Get another job, fast! | :-) A terminated employee NEEDS to be escorted out. I hope the "management" has learned a lesson in physical security in this episode. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest S. Pidgorny Posted March 21, 2008 Posted March 21, 2008 John, That was possible because disabling the account requires Active Directory replication cycle to propagate throughout the organisation. I guess your Exchange infrastructure is a different site to that where the account was disabled. There is no easy solution to this problem in case you have complicated replication topology and cannot predict the site where the user will be logging on from. Disabling the account at multiple sites simultaneously might be an approach - easily scriptable, I think, too. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp "John Liles" <JohnLiles@discussions.microsoft.com> wrote in message news:9D5F8262-AAFB-4D4B-AF69-88C1F679F697@microsoft.com...<span style="color:blue"> > First off, apologies if this subject has been covered before, but I did a > search and couldn't find anything. > > Our situation is this: an employee was terminated today and his/her user > account was disabled and password reset. In spite of this, the terminated > employee was able to send emails on the company Exchange email up to 30 > minutes later. I've been asked to find a way to make disabling the user > account have the immediate effect of keeping them from sending emails or > doing anything else on the domain. > > I know that disabling the user account will prevent the user from being > able > to log on to the domain, but it appears that a disabled user who is > already > logged on maintains some or all abilities to access resources such as > email. > Is this expected behavior in Windows 2003 AD? If so, is there a way to > change this behavior? For example, is there a way to force a disabled > user > account to be logged off of any computer he/she is logged onto on the > domain? > > For those who will make the very logical suggestion that the terminated > user > be immediately escorted off the premises: I appreciate it, but that > sensible > solution has already been rejected by management! > > Thanks in advance for any tips. > -- > JL </span> Quote
Guest dav1dr4y@gmail.com Posted May 2, 2008 Posted May 2, 2008 On Mar 14, 2:14Â pm, John Liles <JohnLi...@discussions.microsoft.com> wrote:<span style="color:blue"> > First off, apologies if this subject has been covered before, but I did a > search and couldn't find anything. > > Our situation is this: Â an employee was terminated today and his/her user > account was disabled and password reset. Â In spite of this, the terminated > employee was able to send emails on the company Exchange email up to 30 > minutes later. Â I've been asked to find a way to make disabling the user > account have the immediate effect of keeping them from sending emails or > doing anything else on the domain. > > I know that disabling the user account will prevent the user from being able > to log on to the domain, but it appears that a disabled user who is already > logged on maintains some or all abilities to access resources such as email. Â > Is this expected behavior in Windows 2003 AD? Â If so, is there a way to > change this behavior? Â For example, is there a way to force a disabled user > account to be logged off of any computer he/she is logged onto on the domain? > > For those who will make the very logical suggestion that the terminated user > be immediately escorted off the premises: Â I appreciate it, but that sensible > solution has already been rejected by management! > > Thanks in advance for any tips. > -- > JL</span> If you also delete the Exchange mailbox when you disable the account the user will immediately not be able to send any mail. He will get "You do not have the permission to send the message on behalf of the specified user." Remember too, that the mailbox is really only disconnected at this point. You can still connect it for forensic purposes if needed. This only helps with email though. Access to file systems that are already connected continues. dray Quote
Guest S. Pidgorny Posted May 4, 2008 Posted May 4, 2008 AD replication can cause the delay. Plus, if the user has MAPI session open while the account is disabled, I think it will continue. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp <dav1dr4y@gmail.com> wrote in message news:41465770-2445-490e-b240-78f9a3fc447b@l17g2000pri.googlegroups.com... On Mar 14, 2:14 pm, John Liles <JohnLi...@discussions.microsoft.com> wrote:<span style="color:blue"> > First off, apologies if this subject has been covered before, but I did a > search and couldn't find anything. > > Our situation is this: an employee was terminated today and his/her user > account was disabled and password reset. In spite of this, the terminated > employee was able to send emails on the company Exchange email up to 30 > minutes later. I've been asked to find a way to make disabling the user > account have the immediate effect of keeping them from sending emails or > doing anything else on the domain. > > I know that disabling the user account will prevent the user from being > able > to log on to the domain, but it appears that a disabled user who is > already > logged on maintains some or all abilities to access resources such as > email. > Is this expected behavior in Windows 2003 AD? If so, is there a way to > change this behavior? For example, is there a way to force a disabled user > account to be logged off of any computer he/she is logged onto on the > domain? > > For those who will make the very logical suggestion that the terminated > user > be immediately escorted off the premises: I appreciate it, but that > sensible > solution has already been rejected by management! > > Thanks in advance for any tips. > -- > JL</span> If you also delete the Exchange mailbox when you disable the account the user will immediately not be able to send any mail. He will get "You do not have the permission to send the message on behalf of the specified user." Remember too, that the mailbox is really only disconnected at this point. You can still connect it for forensic purposes if needed. This only helps with email though. Access to file systems that are already connected continues. dray Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.