What is the best practice to revoke an end user's access to Exchange and Network Resources?

Andrew Cummins
Andrew Cummins used Ask the Experts™
on
My employer wants the ability to disable an AD account and have assurance the end user's access to email and network resources is immediately or quickly revoked. We tested this earlier this morning and discovered although email access to Exchange is almost immediately unavailable, the end user still has access to critical and sensitive data through mapped drives. I've got the impression this is because the end user still has a kerberos ticket cached on their PC. What is the best practice to mitigate this risk? Should we modify the kerberos ticket lifetime on the 2012R2 Domain Controller, or some other method? Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If local, the access to Folders and Email is revoked (as you did above) as soon as they log off.

the end user still has a kerberos ticket cached on their PC. …   Should we modify the kerberos ticket lifetime   Yes and any remote access.
yo_beeDirector of Information Technology

Commented:
If you go into to AD and disable the user they should not have access to the system anymore.
You can also change the allow logon time to nothing. this will kick them out immediately.
Change their password is another option.


I like the logon hours method the best.

Lockout.jpg
Andrew CumminsIT TECH II

Author

Commented:
Thanks for the suggestions! I tried the login hour method and I'm still experiencing the same issue.  Access to the primary and backup domain controller ceases immediately as expected, however any other VM or physical server sharing files still accepts R/W access to any file using the end user's credentials *as long as they haven't logged out*.  I'm guessing something is being cached by the other non Domain Controllers servers. I tried using the GPO that kicks users out at the end of their logon hours period, but I haven't see it work in practice. It seems to only cut access to email and the domain controller's resources like the other methods. What am I missing here?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
I'm guessing something is being cached by the other non Domain Controllers servers.

You need to cut off access on ALL servers and log them out. Do that at the server and do not depend upon the user. Kick them out. Same for exchange.  

Go everywhere, cut off their access.
Andrew CumminsIT TECH II

Author

Commented:
Thanks for the insights! I was hoping for a one step trigger, but at least I have a mitigation plan now. Resetting password, disabling account, and killing their active file sharing sessions does the job.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you for the update. Good luck going forward.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial