Announcement

Collapse
No announcement yet.

Disabling a user account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disabling a user account

    Ok, so i am going to try and explain this in the best possible way. We disabled a user account in active directory and the user was escorted out of the building. The problem we have is that the user was logged into their windows sessions with outlook 2002 open when they told her to leave. After she left within a few minutes time (less than 10) security sat down at her desk and was upset that they could access her account after we were told to disable it which we did. Is there some way to make it (group policy or something) so if i click on disable account no matter what you are doing on the computer thats it your done no more access to anything. Because while they were sitting at her computer and outlook was open they could delete things and send emails. Now as soon as they closed outlook they were unable to reopen it because the account was disabled. If there is no solution could anyone explain why?

    Thanks a lot!

  • #2
    Re: Disabling a user account

    When you have disabled her account, from the server, or a computer where ur domain admin run
    shutdown -r -m \\computer -t: 0 -f
    Make sure she's away from her desk, haha it's a bit cruel.

    Edit: If she's already logged in then disabling her account wont log her out.
    Last edited by uk_network; 12th November 2008, 18:17.
    Please remember to award reputation points if you have received good advice.
    I do tend to think 'outside the box' so others may not always share the same views.

    MCITP -W7,
    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

    Comment


    • #3
      Re: Disabling a user account

      So another words without getting the user to log out of the computer there is really no way to lock them completly out of everything there doing as soon as i disable the account?

      Comment


      • #4
        Re: Disabling a user account

        You could also use PsShutdown.exe from Sysinternals to log the user off remotely. It's part of the PsTools suite http://technet.microsoft.com/en-us/s.../bb896649.aspx

        Also, here's a script that has parts in it that will disable a user and then log them off using PsShutdown. If you want we could modify it so that you can put in the username and computer and it will disable the account and log them off the computer.
        http://www.experts-exchange.com/Soft...html#a22506383
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Disabling a user account

          This is what we have done so far. we have downloaded a program that we have created a batch file for and in the batch file all we need to do is edit the computer name and double click it. This will auto shut down the computer name we put into the batch file. Right clicking and selecting disable in AD is not a big deal and then to run the batch file is not a problem. The problem i have is that my I/T director is breathing down my back as to why microsoft does work the way he thinks it should work. Another words how come we disable an account if the user is still logged into the computer when we disable it they can float around the network and mess with their emails and etc... Basically head of security came in and gave him an ear full about it and i got the brunt of it.

          Comment


          • #6
            Re: Disabling a user account

            That has to do with how access is granted.
            Basically the workstation/server already checked if the user has permission to access the resource. It does check again depending on what is being accessed and how. Not all the technologies were developed by M$. Kerberos is in play as well.

            It's inherent in the technology so you will have to deal with it. But the internal procedures can address this issue like you are already doing by logging off the user.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Disabling a user account

              Yes until a new token is requested access to some resources will be kept. In reality, the person should be called to another office and should not come back to their computer right away. That way the disable account will protect them from loging in from home/other computer etc but for the existing PC, not much can be done other than a logoff or shutdown.
              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

              Comment


              • #8
                Re: Disabling a user account

                I'd have to agree with the previous explanations regarding the TGT.
                This brings up another issue in my opinion. We are all aware that technology has its limitations and that's what Non technical politicians in organisations use to start "Finger pointing exercises" when things go wrong due to Organisational bad practices followed in the company.
                IMO this issue could have been avoided if, as mentioned before, the User was escorted straight away and not left lurking around the system.

                It is unfortunate that the IT admins get the blame all the time.


                P.S. BTW I love my employers?!?
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: Disabling a user account

                  Well I also agree with the previous explenations but what you can do is to ask your boss to contact Microsoft.
                  He has to pay quite a lot (wasn't it about $500?) and I'm pretty sure MS will give him the same answer.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Disabling a user account

                    Is it just me, or is it ridiculous that a company can charge you for a product, and then charge you 60 every time you want to talk to them about a problem with that product? The word that springs to mind would probably get me banned from here
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment

                    Working...
                    X