Avatar of Andrew Cummins
Andrew Cummins
 asked on

What is the best practice to revoke an end user's access to Exchange and Network Resources?

My employer wants the ability to disable an AD account and have assurance the end user's access to email and network resources is immediately or quickly revoked. We tested this earlier this morning and discovered although email access to Exchange is almost immediately unavailable, the end user still has access to critical and sensitive data through mapped drives. I've got the impression this is because the end user still has a kerberos ticket cached on their PC. What is the best practice to mitigate this risk? Should we modify the kerberos ticket lifetime on the 2012R2 Domain Controller, or some other method? Thanks!
Windows Server 2012Active Directory* kerberosNetwork Security

Avatar of undefined
Last Comment

8/22/2022 - Mon

If local, the access to Folders and Email is revoked (as you did above) as soon as they log off.

the end user still has a kerberos ticket cached on their PC. …   Should we modify the kerberos ticket lifetime   Yes and any remote access.

If you go into to AD and disable the user they should not have access to the system anymore.
You can also change the allow logon time to nothing. this will kick them out immediately.
Change their password is another option.

I like the logon hours method the best.

Andrew Cummins

Thanks for the suggestions! I tried the login hour method and I'm still experiencing the same issue.  Access to the primary and backup domain controller ceases immediately as expected, however any other VM or physical server sharing files still accepts R/W access to any file using the end user's credentials *as long as they haven't logged out*.  I'm guessing something is being cached by the other non Domain Controllers servers. I tried using the GPO that kicks users out at the end of their logon hours period, but I haven't see it work in practice. It seems to only cut access to email and the domain controller's resources like the other methods. What am I missing here?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Andrew Cummins

Thanks for the insights! I was hoping for a one step trigger, but at least I have a mitigation plan now. Resetting password, disabling account, and killing their active file sharing sessions does the job.

Thank you for the update. Good luck going forward.