Link to home
Start Free TrialLog in
Avatar of Andrew Cummins
Andrew Cummins

asked on

What is the best practice to revoke an end user's access to Exchange and Network Resources?

My employer wants the ability to disable an AD account and have assurance the end user's access to email and network resources is immediately or quickly revoked. We tested this earlier this morning and discovered although email access to Exchange is almost immediately unavailable, the end user still has access to critical and sensitive data through mapped drives. I've got the impression this is because the end user still has a kerberos ticket cached on their PC. What is the best practice to mitigate this risk? Should we modify the kerberos ticket lifetime on the 2012R2 Domain Controller, or some other method? Thanks!
Avatar of John
John
Flag of Canada image

If local, the access to Folders and Email is revoked (as you did above) as soon as they log off.

the end user still has a kerberos ticket cached on their PC. …   Should we modify the kerberos ticket lifetime   Yes and any remote access.
Avatar of yo_bee
If you go into to AD and disable the user they should not have access to the system anymore.
You can also change the allow logon time to nothing. this will kick them out immediately.
Change their password is another option.


I like the logon hours method the best.

User generated image
Avatar of Andrew Cummins
Andrew Cummins

ASKER

Thanks for the suggestions! I tried the login hour method and I'm still experiencing the same issue.  Access to the primary and backup domain controller ceases immediately as expected, however any other VM or physical server sharing files still accepts R/W access to any file using the end user's credentials *as long as they haven't logged out*.  I'm guessing something is being cached by the other non Domain Controllers servers. I tried using the GPO that kicks users out at the end of their logon hours period, but I haven't see it work in practice. It seems to only cut access to email and the domain controller's resources like the other methods. What am I missing here?
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the insights! I was hoping for a one step trigger, but at least I have a mitigation plan now. Resetting password, disabling account, and killing their active file sharing sessions does the job.
Thank you for the update. Good luck going forward.