Break Outlook RPC connection when employee is FIRED!!!
If we fire an employee in the field, we want to change his password, then break his connection/force a remote logoff of his Outlook 2007 so he can't send mail. We use Exchange 2007. We use outlook anywhere through ISA.
Is there a better method than what we've come up with so far:
1. Change his password.
2. Check the ISA console to see if he's logged in. If so, add the user to our exclusion firewall rule in ISA, then RC and disconnect that user in ISA.
3, Later remember to remove that user in case we ever re-use that ID.
We have experimented with disabling the exchange mailbox but it's a hassle to re-set-it-up when the manager wants access to the mailbox.
BTW, disabling the outlook web access or mapi feature from that mailbox does not seem to break the remote session .
If we disconnect the fired employee's ISA connection, if re-connects and the outlook token seems unaffected.
Any suggestions would be appreciated.
Mike
Is there a better method than what we've come up with so far:
1. Change his password.
2. Check the ISA console to see if he's logged in. If so, add the user to our exclusion firewall rule in ISA, then RC and disconnect that user in ISA.
3, Later remember to remove that user in case we ever re-use that ID.
We have experimented with disabling the exchange mailbox but it's a hassle to re-set-it-up when the manager wants access to the mailbox.
BTW, disabling the outlook web access or mapi feature from that mailbox does not seem to break the remote session .
If we disconnect the fired employee's ISA connection, if re-connects and the outlook token seems unaffected.
Any suggestions would be appreciated.
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Will & Nick.
We revised our procedure (for lan folk and remote folk):
1. change password
2. add user to "terminated" active directory group; this group is consulted by isa: if you're in it, no connection is permitted.
3. Check ISA to see if a connection is currently active. If so, RC and disconnect it; it won't be able to re-connect.
Here's something not obvious: let's set an employee gets fired at noon. He has outlook RPC configured on his home-laptop (which is in sleep mode). If you check the active ISA connections at noon, it won't show. However, when the user gets home, and opens the laptop, his outlook token is still valid (despite the password change).
We revised our procedure (for lan folk and remote folk):
1. change password
2. add user to "terminated" active directory group; this group is consulted by isa: if you're in it, no connection is permitted.
3. Check ISA to see if a connection is currently active. If so, RC and disconnect it; it won't be able to re-connect.
Here's something not obvious: let's set an employee gets fired at noon. He has outlook RPC configured on his home-laptop (which is in sleep mode). If you check the active ISA connections at noon, it won't show. However, when the user gets home, and opens the laptop, his outlook token is still valid (despite the password change).
ASKER
Thanks!
ASKER
Just to confirm: do you think most people:
"- Disbale / Change AD Password
- Disable the user mailbox / Re-Enable it"
when told by HR to remove access to the system IMMEDIATELY ?
"- Disbale / Change AD Password
- Disable the user mailbox / Re-Enable it"
when told by HR to remove access to the system IMMEDIATELY ?
Doing all of the above right after each other will suffice. It is important to disable the users AD access first as this allows them to access other resources on the network. So IMO it is more important. Following that you can just disable the mailbox.
Will.
Will.
ASKER
Thanks Will, but I guess I'm just asking if it's customary and normal (or over-kill) to do all that when someone leaves?
If this employee gets fired even if you disable their mailbox they can still get on their home machine and Open Outlook and view the OST cached email as well.
Will.