We help IT Professionals succeed at work.

What is the best practice to revoke an end user's access to Exchange and Network Resources?

108 Views
Last Modified: 2019-03-07
My employer wants the ability to disable an AD account and have assurance the end user's access to email and network resources is immediately or quickly revoked. We tested this earlier this morning and discovered although email access to Exchange is almost immediately unavailable, the end user still has access to critical and sensitive data through mapped drives. I've got the impression this is because the end user still has a kerberos ticket cached on their PC. What is the best practice to mitigate this risk? Should we modify the kerberos ticket lifetime on the 2012R2 Domain Controller, or some other method? Thanks!
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If local, the access to Folders and Email is revoked (as you did above) as soon as they log off.

the end user still has a kerberos ticket cached on their PC. …   Should we modify the kerberos ticket lifetime   Yes and any remote access.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
If you go into to AD and disable the user they should not have access to the system anymore.
You can also change the allow logon time to nothing. this will kick them out immediately.
Change their password is another option.


I like the logon hours method the best.

Lockout.jpg
Andrew CumminsIT TECH II

Author

Commented:
Thanks for the suggestions! I tried the login hour method and I'm still experiencing the same issue.  Access to the primary and backup domain controller ceases immediately as expected, however any other VM or physical server sharing files still accepts R/W access to any file using the end user's credentials *as long as they haven't logged out*.  I'm guessing something is being cached by the other non Domain Controllers servers. I tried using the GPO that kicks users out at the end of their logon hours period, but I haven't see it work in practice. It seems to only cut access to email and the domain controller's resources like the other methods. What am I missing here?
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Andrew CumminsIT TECH II

Author

Commented:
Thanks for the insights! I was hoping for a one step trigger, but at least I have a mitigation plan now. Resetting password, disabling account, and killing their active file sharing sessions does the job.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you for the update. Good luck going forward.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.