Immediate Disable of Terminated Employee

J

John Liles

First off, apologies if this subject has been covered before, but I did a
search and couldn't find anything.

Our situation is this: an employee was terminated today and his/her user
account was disabled and password reset. In spite of this, the terminated
employee was able to send emails on the company Exchange email up to 30
minutes later. I've been asked to find a way to make disabling the user
account have the immediate effect of keeping them from sending emails or
doing anything else on the domain.

I know that disabling the user account will prevent the user from being able
to log on to the domain, but it appears that a disabled user who is already
logged on maintains some or all abilities to access resources such as email.
Is this expected behavior in Windows 2003 AD? If so, is there a way to
change this behavior? For example, is there a way to force a disabled user
account to be logged off of any computer he/she is logged onto on the domain?

For those who will make the very logical suggestion that the terminated user
be immediately escorted off the premises: I appreciate it, but that sensible
solution has already been rejected by management!

Thanks in advance for any tips.
--
JL
 
T

Tom [Pepper] Willett

That makes no sense whatsoever. The employee has been terminated, but
allowed to remain on the premises, yet no access to the network?

Bet the employee can beat the system...and, he has an incentive...he can't
get fired again.


: For those who will make the very logical suggestion that the terminated
user
: be immediately escorted off the premises: I appreciate it, but that
sensible
: solution has already been rejected by management!
:
: Thanks in advance for any tips.
: --
: JL
 
J

John Liles

You don't understand, it doesn't have to make sense! Don't you read Dilbert?
Heh heh!
--
JL


"Tom [Pepper] Willett" wrote:

> That makes no sense whatsoever. The employee has been terminated, but
> allowed to remain on the premises, yet no access to the network?
>
> Bet the employee can beat the system...and, he has an incentive...he can't
> get fired again.
>
>
> : For those who will make the very logical suggestion that the terminated
> user
> : be immediately escorted off the premises: I appreciate it, but that
> sensible
> : solution has already been rejected by management!
> :
> : Thanks in advance for any tips.
> : --
> : JL
>
>
>
 
P

PA Bear [MS MVP]

> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible solution has already been rejected by management!

Get another job, fast!


John Liles wrote:
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: an employee was terminated today and his/her user
> account was disabled and password reset. In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later. I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being
> able
> to log on to the domain, but it appears that a disabled user who is
> already
> logged on maintains some or all abilities to access resources such as
> email.
> Is this expected behavior in Windows 2003 AD? If so, is there a way to
> change this behavior? For example, is there a way to force a disabled
> user
> account to be logged off of any computer he/she is logged onto on the
> domain?
>
> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible solution has already been rejected by management!
>
> Thanks in advance for any tips.
 
D

David H. Lipman

From: "PA Bear [MS MVP]" <PABearMVP@gmail.com>

>> For those who will make the very logical suggestion that the terminated
>> user
>> be immediately escorted off the premises: I appreciate it, but that
>> sensible solution has already been rejected by management!
|
| Get another job, fast!
|

:)

A terminated employee NEEDS to be escorted out.

I hope the "management" has learned a lesson in physical security in this episode.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
S

S. Pidgorny

John,

That was possible because disabling the account requires Active Directory
replication cycle to propagate throughout the organisation. I guess your
Exchange infrastructure is a different site to that where the account was
disabled.

There is no easy solution to this problem in case you have complicated
replication topology and cannot predict the site where the user will be
logging on from. Disabling the account at multiple sites simultaneously
might be an approach - easily scriptable, I think, too.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



"John Liles" <JohnLiles@discussions.microsoft.com> wrote in message
news:9D5F8262-AAFB-4D4B-AF69-88C1F679F697@microsoft.com...
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: an employee was terminated today and his/her user
> account was disabled and password reset. In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later. I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being
> able
> to log on to the domain, but it appears that a disabled user who is
> already
> logged on maintains some or all abilities to access resources such as
> email.
> Is this expected behavior in Windows 2003 AD? If so, is there a way to
> change this behavior? For example, is there a way to force a disabled
> user
> account to be logged off of any computer he/she is logged onto on the
> domain?
>
> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible
> solution has already been rejected by management!
>
> Thanks in advance for any tips.
> --
> JL
 
D

dav1dr4y@gmail.com

On Mar 14, 2:14 pm, John Liles <JohnLi...@discussions.microsoft.com>
wrote:
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this:  an employee was terminated today and his/her user
> account was disabled and password reset.  In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later.  I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being able
> to log on to the domain, but it appears that a disabled user who is already
> logged on maintains some or all abilities to access resources such as email.  
> Is this expected behavior in Windows 2003 AD?  If so, is there a way to
> change this behavior?  For example, is there a way to force a disabled user
> account to be logged off of any computer he/she is logged onto on the domain?
>
> For those who will make the very logical suggestion that the terminated user
> be immediately escorted off the premises:  I appreciate it, but that sensible
> solution has already been rejected by management!
>
> Thanks in advance for any tips.
> --
> JL

If you also delete the Exchange mailbox when you disable the account
the user will immediately not be able to send any mail. He will get
"You do not have the permission to send the message on behalf of the
specified user."

Remember too, that the mailbox is really only disconnected at this
point. You can still connect it for forensic purposes if needed.

This only helps with email though. Access to file systems that are
already connected continues.

dray
 
S

S. Pidgorny

AD replication can cause the delay.
Plus, if the user has MAPI session open while the account is disabled, I
think it will continue.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


<dav1dr4y@gmail.com> wrote in message
news:41465770-2445-490e-b240-78f9a3fc447b@l17g2000pri.googlegroups.com...
On Mar 14, 2:14 pm, John Liles <JohnLi...@discussions.microsoft.com>
wrote:
> First off, apologies if this subject has been covered before, but I did a
> search and couldn't find anything.
>
> Our situation is this: an employee was terminated today and his/her user
> account was disabled and password reset. In spite of this, the terminated
> employee was able to send emails on the company Exchange email up to 30
> minutes later. I've been asked to find a way to make disabling the user
> account have the immediate effect of keeping them from sending emails or
> doing anything else on the domain.
>
> I know that disabling the user account will prevent the user from being
> able
> to log on to the domain, but it appears that a disabled user who is
> already
> logged on maintains some or all abilities to access resources such as
> email.
> Is this expected behavior in Windows 2003 AD? If so, is there a way to
> change this behavior? For example, is there a way to force a disabled user
> account to be logged off of any computer he/she is logged onto on the
> domain?
>
> For those who will make the very logical suggestion that the terminated
> user
> be immediately escorted off the premises: I appreciate it, but that
> sensible
> solution has already been rejected by management!
>
> Thanks in advance for any tips.
> --
> JL

If you also delete the Exchange mailbox when you disable the account
the user will immediately not be able to send any mail. He will get
"You do not have the permission to send the message on behalf of the
specified user."

Remember too, that the mailbox is really only disconnected at this
point. You can still connect it for forensic purposes if needed.

This only helps with email though. Access to file systems that are
already connected continues.

dray
 
You must log in or register to reply here.

Similar threads

M
How do I disable a previous administrator account?
Replies
0
Views
21
Megan Connelly
M
A
How to Disable Single User Concurrent Logon
Replies
0
Views
51
Alexandros Stratakos
A
H
Win 11 - Start Menu - list of user accounts
Replies
0
Views
27
HankSF
H
S
Why can't I add a second Work or School Account as a User on my Windows Computer?
Replies
0
Views
29
Sebastian Berndt1
S
D
Disabled a computer account and then enabled it but still cannot log in to the domain
Replies
0
Views
80
DesiganReddy
D
Back
Top Bottom