Announcement

Collapse
No announcement yet.

Account disabling interval between 2 DC's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Account disabling interval between 2 DC's

    Hello everyone!

    I've got a question and I hope anyone could give me a hand.

    The problem is that I've got 4 DC's: 2 in HQ and 2 in branch office.
    When I disable user account, I've got to wait 5 minutes for the replication between HQ and branch office to occur = effective account disable.

    The scenario is about DISABLING a user account, not password lockout policy.

    I need to find the solution to decrease time interval, so that user who is fired can not log in anymore. It should occur asap after I disable his account, despite the fact his account is being served by DC in branch office.

    My forest level: 2003

    I know that "repadmin /syncall" would do the trick, but my support team doesn't have enterprise privilages to run this command on DC, and I've got to find the way out.

    I tried to look for registry keys:
    HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Repl topology update period (secs) but neither I can not reach it, nor I don't know if my guesses are ok.

    I'd be grateful for any help.

    Thanks in advance
    Radek

  • #2
    Re: Account disabling interval between 2 DC's

    IIRC disabling / locked out accounts are one of the things replicated immediately, and doesnt wait for scheduled replication
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Account disabling interval between 2 DC's

      Hello and thanks for Your reply.

      That's a pity but I must disagree. Replication takes about 5 minutes from Site A -> Site B. I used to think exactly like You Ossian, till today

      I performed a quick test. I disabled user on DC in HQ, and it was effectively disabled after 300 seconds. I checked it on the spot by opening dsa.msc and connecting to DC in branch office.

      Anyone have any idea how to get it done?

      Thanks,
      Radek
      Last edited by rpazdzierz; 20th September 2011, 18:25.

      Comment


      • #4
        Re: Account disabling interval between 2 DC's

        You may be right -- review this article, particularly the section on Urgent Replication:
        http://technet.microsoft.com/en-us/l...repup_how_huzs
        It mentions lockouts, but not disabling accounts.

        Why is the 5 minute interval such an issue? Since logon should be against a local DC, surely disabling the account at the users home site is sufficient?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Account disabling interval between 2 DC's

          Hi again!
          I'm now searching trough the net to find some suitable info.

          Normally I would use psexec and 'set' option via cmd at users workstation to determine his/her logonserver, than log on the following logonserver=dc and disable his/her account. Then just "shutdown r t 0 m \\ComputerName" to be more cruel and voila!

          Even simplier seems to be "repadmin /syncall" but users for whom my procedure is dedicated, doesn't have proper permissions in domain environment.
          I've got to find the way for HelpDesk team to instantly disable user accounts without necessity to logon to dc and desktops with administrative permissions - that's why I'm looking for solutions to decrease replication interval.

          Comment


          • #6
            Re: Account disabling interval between 2 DC's

            Maybe the solution is for HR to notifiy you ahead of time to disable the user account.

            Comment


            • #7
              Re: Account disabling interval between 2 DC's

              The main goal is to be independent and rely only on ourselves.
              The aim of the procedure is to make us ready for such situation, it's supposed to be easy and relatively short.

              All in all, I found a path which I hope is a good one - inter site links replication.

              To enable change notification on a site link
              1. In ADSI Edit, expand the Configuration Container icon and then expand CN=Configuration,DC= ForestRootDomainName and CN=Sites.
              2. Expand the CN=Inter-Site Transports container, and then click CN=IP.
              3. In the details pane, right-click the site link object whose options attribute you want to change, and then click Properties.
              4. In the Select a property to view box, click options.
              5. If the Value(s) box displays <not set>, in the Edit Attribute box, type 1 for the value (bit 0=1).

              I'm going to check it tomorrow and will send you some feedback.

              Thanks guys!

              Radek

              Comment

              Working...
              X