WonkaWilly
asked on
Prevent users from logging onto AD network during maintenance window
Hello, we have a maintenance windows coming up and I need to be sure that users are not able to log into the network during this time. No matter how much notice, or how many reminders users are given about a maintenance window, users show up and log in during these times.
I'm curious what methods others use to prevent user logins during these times.
Thanks
I'm curious what methods others use to prevent user logins during these times.
Thanks
Harper McDonald
Shut off VPN access during the maint. window.
You could blanket disable all accounts (just make sure you don't disable yours).
Of course, I don't understand why this is even a concern for you. What happens if they log on? You could power down the switch(es) but they can still log on with cached credentials.
If you explain what you are concerned about (that logging on might do) perhaps we can give you better solutions... I've never been concerned with this on large networks over 1000 users or small ones of just 3 and many in between.
Of course, I don't understand why this is even a concern for you. What happens if they log on? You could power down the switch(es) but they can still log on with cached credentials.
If you explain what you are concerned about (that logging on might do) perhaps we can give you better solutions... I've never been concerned with this on large networks over 1000 users or small ones of just 3 and many in between.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agreed - it could be dangerous... but I'm still trying to understand WHY? When do you need to do this? What's the logic?
ASKER
Great suggestions!
The primary reason for doing this is for software or hardware maintenance windows. One recent maintenance window was for a SAN RAM/CPU upgrade where I obviously need the VM's up to test but since I need to update and restart the controllers multiple times, I'd prefer users weren't hitting it. Turns out people still showed up and I got calls.
Two weeks ago I scheduled a Sunday maintenance window to upgrade our accounting software that, by its nature, required the accounting software and SQL database to be online. The upgrade was a multi stage, aka time consuming, where the vendor advised against having users attempting to access the system. Of course the accounting system doesn't have the ability itself to prevent users from logging in, and despite multiple notices, the CFO and manager of accounting showed up, unknown to me, and were in the software.
In either case, if there was a quick and easy way to "disable logins" for the occasional maintenance window, that'd be a nice to have. I considered simply pulling the switch uplink ports, which I can do, but it sure would be easier to set a value somewhere and deny a login. Maybe I'll look at what can be done via the login script....
Thanks for all the suggestions.
The primary reason for doing this is for software or hardware maintenance windows. One recent maintenance window was for a SAN RAM/CPU upgrade where I obviously need the VM's up to test but since I need to update and restart the controllers multiple times, I'd prefer users weren't hitting it. Turns out people still showed up and I got calls.
Two weeks ago I scheduled a Sunday maintenance window to upgrade our accounting software that, by its nature, required the accounting software and SQL database to be online. The upgrade was a multi stage, aka time consuming, where the vendor advised against having users attempting to access the system. Of course the accounting system doesn't have the ability itself to prevent users from logging in, and despite multiple notices, the CFO and manager of accounting showed up, unknown to me, and were in the software.
In either case, if there was a quick and easy way to "disable logins" for the occasional maintenance window, that'd be a nice to have. I considered simply pulling the switch uplink ports, which I can do, but it sure would be easier to set a value somewhere and deny a login. Maybe I'll look at what can be done via the login script....
Thanks for all the suggestions.
ASKER
Additionally,
I should have mentioned that employees are allowed flexible schedules where they can come in and work anytime they like, seven days a week, which causes this conflict.
That's why I have to schedule these maintenance windows and ask users to stay away.
Thanks
I should have mentioned that employees are allowed flexible schedules where they can come in and work anytime they like, seven days a week, which causes this conflict.
That's why I have to schedule these maintenance windows and ask users to stay away.
Thanks
As stated in my first post you can simply apply these permissions for a period of time and then remove them once maintenance is completed.
If you use the cmdlet in the link I provided you could also script this as well to turn this on and off quickly.
GUI and script options provided.
Will.
If you use the cmdlet in the link I provided you could also script this as well to turn this on and off quickly.
GUI and script options provided.
Will.
ASKER
The "Logon Hours Restrictions" suggestions are a good idea but could be difficult to use with our flex hours schedules. Of course I didn't mention that at the beginning. Sorry. And we're all in one building so there is no VPN to speak of.
Thanks
Thanks
First (and it sounds like you do this) - ALWAYS put out notices that system maintenance will take place.
Second, WHENEVER POSSIBLE, perform maintenance off hours (there are reasons banks and other orgs perform these tasks from midnight to 6am on a Sunday morning.
For the accounting system and other database applications, put up the firewall and only enable access to specified systems.
Subnet the systems (in larger networks, the servers are in one network while the workstations are in another. Pull the default gateway out of the server. Nothing can get in or out of the subnet. Someone needs access (accounting software folks - give them access to a VPN that can get them on the network (you can manually assign gateways for particular subnets) or give them access to an RDS server that they can connect from that's on the same network.
Another option would be a script that uses an "exceptions" file and disables all user accounts EXCEPT those in the file (such as your admins, service accounts, etc). But disabling accounts is, in my opinion, a bit like using a hammer to push in a thumbtack).
At the end of the day, what you can do depends on what you have in place in terms of management systems. Some managed switches may allow you to disable uplink ports for a while and do this remotely. And subsequently re-enable. The problem is your network could be advanced and complicated which could give you many options... or you could a cheap network with nothing managed and no advanced features and be stuck. We don't know what you're using, what OS/Firmware versions, etc.
Second, WHENEVER POSSIBLE, perform maintenance off hours (there are reasons banks and other orgs perform these tasks from midnight to 6am on a Sunday morning.
For the accounting system and other database applications, put up the firewall and only enable access to specified systems.
Subnet the systems (in larger networks, the servers are in one network while the workstations are in another. Pull the default gateway out of the server. Nothing can get in or out of the subnet. Someone needs access (accounting software folks - give them access to a VPN that can get them on the network (you can manually assign gateways for particular subnets) or give them access to an RDS server that they can connect from that's on the same network.
Another option would be a script that uses an "exceptions" file and disables all user accounts EXCEPT those in the file (such as your admins, service accounts, etc). But disabling accounts is, in my opinion, a bit like using a hammer to push in a thumbtack).
At the end of the day, what you can do depends on what you have in place in terms of management systems. Some managed switches may allow you to disable uplink ports for a while and do this remotely. And subsequently re-enable. The problem is your network could be advanced and complicated which could give you many options... or you could a cheap network with nothing managed and no advanced features and be stuck. We don't know what you're using, what OS/Firmware versions, etc.