Avatar of Andrew Cummins
Andrew Cummins
 asked on

What is the best practice to revoke an end user's access to Exchange and Network Resources?

My employer wants the ability to disable an AD account and have assurance the end user's access to email and network resources is immediately or quickly revoked. We tested this earlier this morning and discovered although email access to Exchange is almost immediately unavailable, the end user still has access to critical and sensitive data through mapped drives. I've got the impression this is because the end user still has a kerberos ticket cached on their PC. What is the best practice to mitigate this risk? Should we modify the kerberos ticket lifetime on the 2012R2 Domain Controller, or some other method? Thanks!
Windows Server 2012Active Directory* kerberosNetwork Security

Avatar of undefined
Last Comment
John

8/22/2022 - Mon
John

If local, the access to Folders and Email is revoked (as you did above) as soon as they log off.

the end user still has a kerberos ticket cached on their PC. …   Should we modify the kerberos ticket lifetime   Yes and any remote access.
yo_bee

If you go into to AD and disable the user they should not have access to the system anymore.
You can also change the allow logon time to nothing. this will kick them out immediately.
Change their password is another option.


I like the logon hours method the best.

Lockout.jpg
Andrew Cummins

ASKER
Thanks for the suggestions! I tried the login hour method and I'm still experiencing the same issue.  Access to the primary and backup domain controller ceases immediately as expected, however any other VM or physical server sharing files still accepts R/W access to any file using the end user's credentials *as long as they haven't logged out*.  I'm guessing something is being cached by the other non Domain Controllers servers. I tried using the GPO that kicks users out at the end of their logon hours period, but I haven't see it work in practice. It seems to only cut access to email and the domain controller's resources like the other methods. What am I missing here?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
John

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Andrew Cummins

ASKER
Thanks for the insights! I was hoping for a one step trigger, but at least I have a mitigation plan now. Resetting password, disabling account, and killing their active file sharing sessions does the job.
John

Thank you for the update. Good luck going forward.