Active Directory - Disabled user network file access

X

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,547
When you disable a user account in netware, it immediately blocks access to any network resources. However, it seems in AD that's not the case. The ticket that was generated for the user on login is still valid for the entire ticket life duration. So while the user can't login any more ( and thus, can't get any more tickets generated ), they still retain access to network resources until their current ticket expires.

Is there any way around this? I'd like to mimic the behavior of netware here if I could. It's one of netware's redeeming features.
 
XOR is referring to disabling an account of a user that is currently logged in retaining their existing ticket and being allowed access to resources based on that. I think.
 
PanzerBoxb said:
XOR is referring to disabling an account of a user that is currently logged in retaining their existing ticket and being allowed access to resources based on that. I think.
Click to expand...

That's how I read it as well.
 
Wouldn't it work if you just terminate their session from the DC in Computer Mgmt (or any other server they are logged into) once they're disabled?

That's usually my next step after disabling a user, making sure that their logon sessions or any open files/folders are closed, and that OWA is closed and vpn certs are killed. I usually don't see any open logons in those cases, but every now and then there will be an open file, especially hung .pst files.
 
Cax6ton said:
Wouldn't it work if you just terminate their session from the DC in Computer Mgmt (or any other server they are logged into) once they're disabled?

That's usually my next step after disabling a user, making sure that their logon sessions or any open files/folders are closed, and that OWA is closed and vpn certs are killed. I usually don't see any open logons in those cases, but every now and then there will be an open file, especially hung .pst files.
Click to expand...

It still wouldn't matter. Kerberos tickets are issued per server and are valid up until their expiration time. When the user re-establishes his connection to the file share he'd just use the cached service ticket (presuming it hasn't expired). The only way to deal with this that I can think of is to greatly shorten the ticket lifetime via group policy.
 
....yep, I was playing around with it this afternoon.....as long as someone is logged in, their ticket will keep the connection alive, and re-establish any resources until the ticket expires. Is there any way to revoke a ticket?
 
I don't know kerberos terribly well, but I believe once the user is granted a ticket, authentication/verification of that ticket is independent of the TGS/AS. You need to limit ticket lifetime to something that strikes an acceptable balance between frequency of renewals/load on the TGS/AS vs a short lifespan so disabled accounts no longer have access to network resources.
 
You must log in or register to reply here.
Back
Top