True, we need a procedure that requires at least three techs and a week of planning to make it work...complicated stuff, these computers.
-----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:24 PM To: NT 2000 Discussions Subject: RE: Terminating employees / securing their workstation <CTO> That's just too damn easy Florea. Use some finesse and imagination! Now go reboot the Outlook server </CTO> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:24 PM To: NT 2000 Discussions Subject: RE: Terminating employees / securing their workstation Why not just unplug their network cable at the switch? If that's not easily ascertainable, how about just disabling their AD account? David -----Original Message----- From: Meade, Devin [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:02 PM To: NT 2000 Discussions Subject: Terminating employees / securing their workstation Group, My management wants me to come up with a procedure to remotely lockout an employee that is being terminated without forcing any files closed. Bummer. We run W2K Native mode Active directory with W2K SP3 workstations. All users log onto the domain (no local logins), they do have local profiles. I am looking at sysinternals pstools (psshutdown) to remotely lock the workstation. I am thinking that we first change their domain password and then lock the workstation. Then the user can't unlock it, but IS can. Easier said that done. Go to a DC and run ADUC and reset their password to "abcdefg". Wait 5 mins for the other DC's to get this change. Lock the users workstation. Hmm, the old password will unlock it Wait 10 mins - the old password still works. Wait 1 hour - the old password still works. Try the new password and it unlocks the ws and changes the domain pw. Try the old pw and it does not work. --- This tells me that the ws does not query the domain unless authentication fails. I tried this on a few computers with the same results. I know that psshutdown can logout or shutdown the computer - which would get them out of the network, but at the expense of forcing files closed. I did decrease the local policy "num of previous logons to cache" from 10 to 0 with no change. No domain policy is overwriting it. Per the explanation - this policy is only used if a DC is not available; well we have 4 DC's available. So I don't think this one comes into play. I make other changes to our users all the time (group membership, policies, creating and disabling users). These take no longer than 5 mins for the DC to sync the other DC's and the user then gets the new rights. So it is not an ADS synchronization problem. Nothing jumps out at me at my all time favorite page ;-) http://www.ultratech-llc.com/KB/ or at http://www.sysinternals.com. Is anyone using a different method for this? Thank you, Devin L. Meade, CNE, MCP Network Administrator Frankfurt-Short-Bruza www.fsb-ae.com www.oklahomadome.com ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
