Solved

Force User Logoff  immediately  -- User logged on to my Windows 2000 Server

Posted on 2003-11-19
7
763 Views
Last Modified: 2013-12-04
My office manager has been tasked with terminating personnel.  As the IT Administrator, I am tasked with disabling the user account in Active Directory and forcing the user the logoff immediately.

The bottom line is:  When instructed by the office manager, I want to prevent (immediately) all  access to the domain from the terminated employee's computer.

Thanks for your help.
0
Comment
Question by:jimdorman
7 Comments
 
LVL 10

Expert Comment

by:BloodRed
ID: 9783127
Locking out the account will cause the user to not be able to access any networked resources, so you can consider them isolated from the network.  You can set logon hours in the account's properties, and force logoff when logon time expires via Group Policy.  
0
 

Author Comment

by:jimdorman
ID: 9783213
Well, how do you lockout an account?  I searched the Windows 2000 Server help files and "lockout" only relates to Remoate Access or VPN accounts.

The only way I know to prevent immediate access to the server, is to go to my wiring closet and pull the cat5 cable that is connecting the terminated employee's computer to the router/switch.  However, the terminated employee may go to someone else's computer and log on.

Thanks again for your help.
 
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 9783811
On either your DC or a managment workstation with the Admin tools installed, open Active Directory Users and Computers, find the user's account, right-click and select Disable.  The change will immediatly replicated to any other DCs in your AD domain and the user will not be able to access network resources.  
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:jimdorman
ID: 9783972
Your suggestion worked partially.   I disabled my account through Active Directory on the DC.  I did not log off of my own computer.  I clicked on Outlook.  The Exchange Server did not display any messages in my Inbox (normally there would be about 50).  So by disabling the account, e-mail was disabled.

However, I opened Explorer.  I navigated to the mapped drive on the DC.  (This is where word processing documents are stored).  The DC Server allowed me to read, edit, and print all documents.
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 9784239
Try enabling "Force logoff when logon hours expire" in Group Policy, then in the account properties in AD set the logon hours so that your test account isn't able to logon in the next half hour or so.  That should force you to log off.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9784848
Why not use shutdown.exe from the resource kit.
Once you have disabled the account in AD shutdown the users PC and they are gone.
0
 
LVL 1

Accepted Solution

by:
monsterrick earned 250 total points
ID: 9841509
Remote shutdown is a good idea but the user may already logged on from another machine which you don't know.
One more to try is launch "Computer Management" from the file server.  Open "Shared Folders".  Click "Sessions".  Find the user session, sort it by "User" and locate the user.  Then, delete his/her session(s) after you disabled this user account.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question