Group,
My management wants me to come up with a procedure to remotely lockout an
employee that is being terminated without forcing any files closed. Bummer.
We run W2K Native mode Active directory with W2K SP3 workstations. All
users log onto the domain (no local logins), they do have local profiles.
I am looking at sysinternals pstools (psshutdown) to remotely lock the
workstation. I am thinking that we first change their domain password and
then lock the workstation. Then the user can't unlock it, but IS can.
Easier said that done.
Go to a DC and run ADUC and reset their password to "abcdefg".
Wait 5 mins for the other DC's to get this change.
Lock the users workstation.
Hmm, the old password will unlock it
Wait 10 mins - the old password still works.
Wait 1 hour - the old password still works.
Try the new password and it unlocks the ws and changes the domain pw.
Try the old pw and it does not work.
--- This tells me that the ws does not query the domain unless
authentication fails.
I tried this on a few computers with the same results.
I know that psshutdown can logout or shutdown the computer - which would get
them out of the network, but at the expense of forcing files closed.
I did decrease the local policy "num of previous logons to cache" from 10 to
0 with no change. No domain policy is overwriting it. Per the explanation
- this policy is only used if a DC is not available; well we have 4 DC's
available. So I don't think this one comes into play.
I make other changes to our users all the time (group membership,
policies, creating and disabling users). These take no longer
than 5 mins for the DC to sync the other DC's and the user then gets the
new rights. So it is not an ADS synchronization problem.
Nothing jumps out at me at my all time favorite page ;-)
http://www.ultratech-llc.com/KB/ or at http://www.sysinternals.com.
Is anyone using a different method for this?
Thank you,
Devin L. Meade, CNE, MCP
Network Administrator
Frankfurt-Short-Bruza
www.fsb-ae.com
www.oklahomadome.com
------
You are subscribed as [EMAIL PROTECTED]
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english
To unsubscribe send a blank email to [EMAIL PROTECTED]
