HOW DO I IMMEDIATELY FREEZE AN ACCOUNT?

  • Thread starter Thread starter Dorius Bildigdo
  • Start date Start date
D

Dorius Bildigdo

We are firing someone and 10 minutes before it happens, I need to
immediately freeze all his account access. DISABLING AN ACCOUNT DOES
NOT WORK! If he is already logged in, he will have access AFTER his
account is disabled. I don't understand this. if we have 1000's of
machines, he could be logged into a machine in some corner office
somewhere and after he is fired still have access.

i need a way to immediately BAN him from the network in about 10
minutes. HOW DO I DO THIS?

its a windows 2000 network.
 
You can do that using Group Policies. Under the User Properties in Active
Directory, change his Logon Hours the day the person is to be fired. Also,
don't forget to set his account to expire the next day. Then, using the
Group Policy snap in, go to Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options. Then, use the setting
"Automatically Log Off Users When Logon Hours Expire. This can also be set
using the Domain Security Policy tool or the Local Security policy tool,
depending on context.

(Mastering Windows 2000 Server, pub by Sybex, page 382)
 
But this won't take affect until the user GPO on his PC is refreshed? By
default this is every 90 minutes. So this will work only if you know at
least 90 minutes before his firing what time he will be leaving.
 
Unless you have your network configured with cconect ahead of time, it will be
difficult to find out where he is all logged onto. However you could disable his
account and then use shutdown to remotely shut down the computer he is working at
just before he is terminated [called into the office]. Expiring kerberos tickets
would lock out all access in the forest within ten hours by default. I don't
understand how a employee would have physical access to office computers after he is
fired?? I have a friend who works at a large software company and he tells me when
this happens the now exemployee is escorted from the building by security and told to
never come back or face being arrested and prosecuted. --- Steve
 
I would have to agree with this approach.

Call the person into the office. Fire them. Escort them to thier office to
collect their things. Escort them to the door. The issue is moot. If he is
logged in...so what? This is commonplace in the businesses that utilize
computer networks....especially to people who have privledged access..etc.

My .02


Steven L Umbach said:
Unless you have your network configured with cconect ahead of time, it will be
difficult to find out where he is all logged onto. However you could disable his
account and then use shutdown to remotely shut down the computer he is working at
just before he is terminated [called into the office]. Expiring kerberos tickets
would lock out all access in the forest within ten hours by default. I don't
understand how a employee would have physical access to office computers after he is
fired?? I have a friend who works at a large software company and he tells me when
this happens the now exemployee is escorted from the building by security and told to
never come back or face being arrested and prosecuted. --- Steve

Dorius Bildigdo said:
We are firing someone and 10 minutes before it happens, I need to
immediately freeze all his account access. DISABLING AN ACCOUNT DOES
NOT WORK! If he is already logged in, he will have access AFTER his
account is disabled. I don't understand this. if we have 1000's of
machines, he could be logged into a machine in some corner office
somewhere and after he is fired still have access.

i need a way to immediately BAN him from the network in about 10
minutes. HOW DO I DO THIS?

its a windows 2000 network.
Click to expand...
Click to expand...
 
Greetings --

Why set his account to allow login/connections only between
certain specific hours, with the latest time being the time he's
scheduled to be fired? And then set the account to expire at the same
time, so he cannot log back in.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Well doesn´t netstat give which is logon? and then you could reboot that PC
by use of some shutdown tool.
BR
Anders Björk
 
Seems to me it would be pretty simple to not let said employee near any
computers after he knows he's fired. What, you're gonna fire the guy, then
say, "hey, go back to your desk alone and do whatever you need to"....?

Nah, every place I've ever worked at would fire the employee, then ESCORT
them back to pick up personal belongings (subject to search if the person
started picking up folders and such) and then escort the person out of the
building.

And while they're off in the personnel office, or wherever the bad news is
happening, it should be darned simple to shut down their computer. Unplug
the damned thing, if you have to. So when they go back to pick up stuff,
there's no chance they'd be able to boot up, log in, whatever, while the
"escort" is watching.

One place I worked for would have the employee's login and access "broken"
on the day they'd come in to get fired. So the first thing they'd be doing
is calling to see why their login wasn't working. Smarter employees who knew
the procedure would realize they were going to get fired, which gave them
sufficient time to go through their desk/file cabinet/whatever for the paper
copies they had access to and wanted to bring home.

Of course, the REALLY smart employees already had copies of everything they
needed at home, so they never had to worry about access on the last day.
 
We are firing someone and 10 minutes before it happens, I need to
immediately freeze all his account access. DISABLING AN ACCOUNT DOES
NOT WORK! If he is already logged in, he will have access AFTER his
account is disabled. I don't understand this. if we have 1000's of
machines, he could be logged into a machine in some corner office
somewhere and after he is fired still have access.

i need a way to immediately BAN him from the network in about 10
minutes. HOW DO I DO THIS?
Click to expand...

Disconnect all sessions related to their login.
 
Back
Top