Break Outlook RPC connection when employee is FIRED!!!

If we fire an employee in the field, we want to change his password, then break his connection/force a remote logoff of his Outlook 2007 so he can't send mail.   We use Exchange 2007. We use outlook anywhere through ISA.

Is there a better method than what we've come up with so far:
1. Change his password.
2. Check the ISA console to see if he's logged in.  If so, add the user to our exclusion firewall rule in ISA, then RC and disconnect that user in ISA.
3, Later remember to remove that user in case we ever re-use that ID.

We have experimented with disabling the exchange mailbox but it's a hassle to re-set-it-up when the manager wants access to the mailbox.

BTW, disabling the outlook web access or mapi feature from that mailbox does not seem to break the remote session .

If we disconnect the fired employee's ISA connection, if re-connects and the outlook token seems unaffected.

Any suggestions would be appreciated.
Mike
mike2401Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This is a security issue for Outlook. When the user logs into Outlook with a password that session is opened and the token will contune to work until the session is closed.

There is really no "clean" way about doing this. The best approach that I would do is the following...
- Disbale / Change AD Password
- Disable the user mailbox / Re-Enable it

This is the ultimate way of knowing that the user does not have any access by any means to there Outlook. If the mailbox is Disabled it will sever all of the current connections to it OWA/MAPI/ActiveSync etc.

You can then re-enable the mailbox which will forward the client to re-authenticate, at which point the AD Account will have been disabled and/or password changed.

Another thing you might want to consider is restricting Outlook Anywhere to specific User. If someone has access to Outlook Anywhere, they can open Outlook on their home machine use there credentials (working credentials) cache ALL of there mail to their home machine.

If this employee gets fired even if you disable their mailbox they can still get on their home machine and Open Outlook

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nick RhodeIT DirectorCommented:
As stated by Will there is no clean way to kill the active session and what I do is immediately change the users password, disable the mailbox and re-enable the mailbox.  This in turn kills the active sessions and forces a re-authentication to exchange in which it will require the fired employee to type in the newly changed password on any device (phone, tablet, etc)
Will SzymkowskiSenior Solution ArchitectCommented:
Continued...
If this employee gets fired even if you disable their mailbox they can still get on their home machine and Open Outlook and view the OST cached email as well.

Will.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

mike2401Author Commented:
Thanks Will & Nick.

We revised our procedure (for lan folk and remote folk):
1. change password
2. add user to "terminated" active directory group; this group is consulted by isa: if you're in it, no connection is permitted.
3. Check ISA to see if a connection is currently active. If so, RC and disconnect it; it won't be able to re-connect.

Here's something not obvious: let's set an employee gets fired at noon.  He has outlook RPC configured on his home-laptop (which is in sleep mode).  If you check the active ISA connections at noon, it won't show.  However, when the user gets home, and opens the laptop, his outlook token is still valid (despite the password change).
mike2401Author Commented:
Thanks!
mike2401Author Commented:
Just to confirm:  do you think most people:

"- Disbale / Change AD Password
- Disable the user mailbox / Re-Enable it"

when told by HR to remove access to the system IMMEDIATELY ?
Will SzymkowskiSenior Solution ArchitectCommented:
Doing all of the above right after each other will suffice. It is important to disable the users AD access first as this allows them to access other resources on the network. So IMO it is more important. Following that you can just disable the mailbox.

Will.
mike2401Author Commented:
Thanks Will, but I guess I'm just asking if it's customary and normal (or over-kill) to do all that when someone leaves?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.