Well, unless it's a spur of the moment thing, I'd just disable their account or workstation after hours, then direct them to the boss' office when they come in the next morning. Always a bit awkward during the day. When you said 'without forcing any files closed' I thought you meant on the local machine, which is why I suggested pulling the network cable.
Anyway, sounds like you have it under control. -----Original Message----- From: Meade, Devin [mailto:[EMAIL PROTECTED] Sent: Friday, June 27, 2003 7:22 AM To: NT 2000 Discussions Subject: RE: Terminating employees / securing their workstation As stated in the original post: (1)"remotely" and (2)"without forcing any files closed" and (3)psshutdown can force the matter.. Oh, yeah - we talked about unplugging the network cable / disabling the account - but that does not close the files and AutoCAD really does not like this. We will probably use psshutdown with the -f switch. FWIW, when I was asked for this, I said that I was doing the dept head's dirty work - If they want to fire someone, the boss should ask them to "step away from the keyboard". Here come the flames, I can take it. Devin L. Meade, CNE, MCP Network Administrator Frankfurt-Short-Bruza www.fsb-ae.com www.oklahomadome.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 5:24 PM To: NT 2000 Discussions Subject: RE: Terminating employees / securing their workstation Why not just unplug their network cable at the switch? If that's not easily ascertainable, how about just disabling their AD account? David -----Original Message----- From: Meade, Devin [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:02 PM To: NT 2000 Discussions Subject: Terminating employees / securing their workstation Group, My management wants me to come up with a procedure to remotely lockout an employee that is being terminated without forcing any files closed. Bummer. We run W2K Native mode Active directory with W2K SP3 workstations. All users log onto the domain (no local logins), they do have local profiles. I am looking at sysinternals pstools (psshutdown) to remotely lock the workstation. I am thinking that we first change their domain password and then lock the workstation. Then the user can't unlock it, but IS can. Easier said that done. Go to a DC and run ADUC and reset their password to "abcdefg". Wait 5 mins for the other DC's to get this change. Lock the users workstation. Hmm, the old password will unlock it Wait 10 mins - the old password still works. Wait 1 hour - the old password still works. Try the new password and it unlocks the ws and changes the domain pw. Try the old pw and it does not work. --- This tells me that the ws does not query the domain unless authentication fails. I tried this on a few computers with the same results. I know that psshutdown can logout or shutdown the computer - which would get them out of the network, but at the expense of forcing files closed. I did decrease the local policy "num of previous logons to cache" from 10 to 0 with no change. No domain policy is overwriting it. Per the explanation - this policy is only used if a DC is not available; well we have 4 DC's available. So I don't think this one comes into play. I make other changes to our users all the time (group membership, policies, creating and disabling users). These take no longer than 5 mins for the DC to sync the other DC's and the user then gets the new rights. So it is not an ADS synchronization problem. Nothing jumps out at me at my all time favorite page ;-) http://www.ultratech-llc.com/KB/ or at http://www.sysinternals.com. Is anyone using a different method for this? Thank you, Devin L. Meade, CNE, MCP Network Administrator Frankfurt-Short-Bruza www.fsb-ae.com www.oklahomadome.com ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=e nglish To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&la ng=english To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED]
