Immediate Disable of Terminated Employee

TheMSsForum.com: The Microsoft Software Forum

First off, apologies if this subject has been covered before, but I did a
search and couldn't find anything.

Our situation is this: an employee was terminated today and his/her user
account was disabled and password reset. In spite of this, the terminated
employee was able to send emails on the company Exchange email up to 30
minutes later. I've been asked to find a way to make disabling the user
account have the immediate effect of keeping them from sending emails or
doing anything else on the domain.

I know that disabling the user account will prevent the user from being able
to log on to the domain, but it appears that a disabled user who is already
logged on maintains some or all abilities to access resources such as email.
Is this expected behavior in Windows 2003 AD? If so, is there a way to
change this behavior? For example, is there a way to force a disabled user
account to be logged off of any computer he/she is logged onto on the domain?

For those who will make the very logical suggestion that the terminated user
be immediately escorted off the premises: I appreciate it, but that sensible
solution has already been rejected by management!

Thanks in advance for any tips.
--
JL
Top

Re: Immediate Disable of Terminated Employee by Tom

Tom
Fri Mar 14 15:22:41 CDT 2008

That makes no sense whatsoever. The employee has been terminated, but
allowed to remain on the premises, yet no access to the network?

Bet the employee can beat the system...and, he has an incentive...he can't
get fired again.


: For those who will make the very logical suggestion that the terminated
user
: be immediately escorted off the premises: I appreciate it, but that
sensible
: solution has already been rejected by management!
:
: Thanks in advance for any tips.
: --
: JL


Top

Re: Immediate Disable of Terminated Employee by JohnLiles

JohnLiles
Fri Mar 14 15:41:00 CDT 2008

You don't understand, it doesn't have to make sense! Don't you read Dilbert?
Heh heh!
--
JL


"Tom [Pepper] Willett" wrote:

> That makes no sense whatsoever. The employee has been terminated, but
> allowed to remain on the premises, yet no access to the network?
>
> Bet the employee can beat the system...and, he has an incentive...he can't
> get fired again.
>
>
> : For those who will make the very logical suggestion that the terminated
> user
> : be immediately escorted off the premises: I appreciate it, but that
> sensible
> : solution has already been rejected by management!
> :
> : Thanks in advance for any tips.
> : --
> : JL
>
>
>
Top

Re: Immediate Disable of Terminated Employee by PA

PA
Fri Mar 14 17:53:31 CDT 2008

> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible solution has already been rejected by management!

Get another job, fast!


John Liles wrote:
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: an employee was terminated today and his/her user
> account was disabled and password reset. In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later. I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being
> able
> to log on to the domain, but it appears that a disabled user who is
> already
> logged on maintains some or all abilities to access resources such as
> email.
> Is this expected behavior in Windows 2003 AD? If so, is there a way to
> change this behavior? For example, is there a way to force a disabled
> user
> account to be logged off of any computer he/she is logged onto on the
> domain?
>
> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible solution has already been rejected by management!
>
> Thanks in advance for any tips.

Top

Re: Immediate Disable of Terminated Employee by David

David
Fri Mar 14 18:08:29 CDT 2008

From: "PA Bear [MS MVP]" <PABearMVP@gmail.com>

>> For those who will make the very logical suggestion that the terminated
>> user
>> be immediately escorted off the premises: I appreciate it, but that
>> sensible solution has already been rejected by management!
|
| Get another job, fast!
|

:-)

A terminated employee NEEDS to be escorted out.

I hope the "management" has learned a lesson in physical security in this episode.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


Top

Re: Immediate Disable of Terminated Employee by S

S
Thu Mar 20 20:02:00 CDT 2008

John,

That was possible because disabling the account requires Active Directory
replication cycle to propagate throughout the organisation. I guess your
Exchange infrastructure is a different site to that where the account was
disabled.

There is no easy solution to this problem in case you have complicated
replication topology and cannot predict the site where the user will be
logging on from. Disabling the account at multiple sites simultaneously
might be an approach - easily scriptable, I think, too.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



"John Liles" <JohnLiles@discussions.microsoft.com> wrote in message
news:9D5F8262-AAFB-4D4B-AF69-88C1F679F697@microsoft.com...
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: an employee was terminated today and his/her user
> account was disabled and password reset. In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later. I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being
> able
> to log on to the domain, but it appears that a disabled user who is
> already
> logged on maintains some or all abilities to access resources such as
> email.
> Is this expected behavior in Windows 2003 AD? If so, is there a way to
> change this behavior? For example, is there a way to force a disabled
> user
> account to be logged off of any computer he/she is logged onto on the
> domain?
>
> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible
> solution has already been rejected by management!
>
> Thanks in advance for any tips.
> --
> JL


Top

Re: Immediate Disable of Terminated Employee by dav1dr4y

dav1dr4y
Fri May 02 11:24:58 CDT 2008

On Mar 14, 2:14=A0pm, John Liles <JohnLi...@discussions.microsoft.com>
wrote:
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: =A0an employee was terminated today and his/her use=
r
> account was disabled and password reset. =A0In spite of this, the terminat=
ed
> employee was able to send emails on the company Exchange email up to 30
> minutes later. =A0I've been asked to find a way to make disabling the user=

> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being ab=
le
> to log on to the domain, but it appears that a disabled user who is alread=
y
> logged on maintains some or all abilities to access resources such as emai=
l. =A0
> Is this expected behavior in Windows 2003 AD? =A0If so, is there a way to
> change this behavior? =A0For example, is there a way to force a disabled u=
ser
> account to be logged off of any computer he/she is logged onto on the doma=
in?
>
> For those who will make the very logical suggestion that the terminated us=
er
> be immediately escorted off the premises: =A0I appreciate it, but that sen=
sible
> solution has already been rejected by management!
>
> Thanks in advance for any tips.
> --
> JL

If you also delete the Exchange mailbox when you disable the account
the user will immediately not be able to send any mail. He will get
"You do not have the permission to send the message on behalf of the
specified user."

Remember too, that the mailbox is really only disconnected at this
point. You can still connect it for forensic purposes if needed.

This only helps with email though. Access to file systems that are
already connected continues.

dray
Top

Re: Immediate Disable of Terminated Employee by S

S
Sat May 03 20:38:01 CDT 2008

AD replication can cause the delay.
Plus, if the user has MAPI session open while the account is disabled, I
think it will continue.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


<dav1dr4y@gmail.com> wrote in message
news:41465770-2445-490e-b240-78f9a3fc447b@l17g2000pri.googlegroups.com...
On Mar 14, 2:14 pm, John Liles <JohnLi...@discussions.microsoft.com>
wrote:
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: an employee was terminated today and his/her user
> account was disabled and password reset. In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later. I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being
> able
> to log on to the domain, but it appears that a disabled user who is
> already
> logged on maintains some or all abilities to access resources such as
> email.
> Is this expected behavior in Windows 2003 AD? If so, is there a way to
> change this behavior? For example, is there a way to force a disabled user
> account to be logged off of any computer he/she is logged onto on the
> domain?
>
> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible
> solution has already been rejected by management!
>
> Thanks in advance for any tips.
> --
> JL

If you also delete the Exchange mailbox when you disable the account
the user will immediately not be able to send any mail. He will get
"You do not have the permission to send the message on behalf of the
specified user."

Remember too, that the mailbox is really only disconnected at this
point. You can still connect it for forensic purposes if needed.

This only helps with email though. Access to file systems that are
already connected continues.

dray


Top