Running SSMS after AD account is disabled

  • Marek Grzymala

    SSCommitted

    Points: 1890

    Comments posted to this topic are about the item Running SSMS after AD account is disabled

  • Koen Verbeeck

    SSC Guru

    Points: 258907

    Nice question to end the week, but some references would have been great.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • Nakul Vachhrajani

    SSChampion

    Points: 10151

    Great question! Something every administrator needs to think about. Thank-you, and have a great week-end ahead.

    Thanks & Regards,
    Nakul Vachhrajani.
    http://nakulvachhrajani.com
    Be courteous. Drive responsibly.

    Follow me on
    Twitter: @sqltwins

  • Carlo Romagnano

    SSC-Insane

    Points: 21712

    In addition, the administrator should disable in AD and kill all disabled-user's connections.

  • Arjun SreeVastsva

    SSCertifiable

    Points: 7135

    Good Question for Administrators...keep this like posts for the DBAS

  • cengland0

    SSCertifiable

    Points: 6102

    Additionally, when terminated, the employees are escorted out by security. Their personal items will be mailed to them.

    There is too much risk for sabotage when letting an employee roam around the campus after being terminated.

  • TheRedneckDBA

    SSChampion

    Points: 13935

    Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)

    The Redneck DBA

  • Bill Sheets

    Valued Member

    Points: 62

    Jason Shadonix (4/22/2011)


    Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)

    If they are getting access through membership in an AD group, you may not want to disable the group's acces and affect others in the group.

    This did make me curious if the user would be able to open a new query window or only execute queries in windows that are already open.

  • SQLRNNR

    SSC Guru

    Points: 281210

    Jason Shadonix (4/22/2011)


    Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)

    If that user's account has been added as a login individually - then yes. If not, would you add that user to then disable it (just in case that person is in a group that has been granted access?

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • SQLRNNR

    SSC Guru

    Points: 281210

    BTW - great question.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • TomThomson

    SSC Guru

    Points: 104763

    Ah well, I got that wrong. I thought MS would (by the time Windows 2003 Server was released) have been aware that leaving a hole like that would be bad for their already poor security reputation (that they were trying very hard to repair) and done something like automatically killing connections when a user account was disabled. I also though Kerberos tickest expired much faster than that by default - they certainly were much shorter lived on the servers we installed on our customers' sites, that was clear from logged authentication data (I'm assuming the expiry was a small multiple of the refresh(reauthenticate) rate, as that's standard security engineering practise). I guess we must have overridden the default during installation - we did quite a lot of things with group policy, I guess that was one of them.

    edit: I forgot to mention that it's a good question.

    Tom

  • TomThomson

    SSC Guru

    Points: 104763

    Koen Verbeeck (4/22/2011)


    Nice question to end the week, but some references would have been great.

    IN case you haven't already found it, this documents default ticket life (10 hours).

    Tom

  • Jon.Morisi

    SSChampion

    Points: 12845

    Doesn't the fact the, "Kerberos ticket expiration" mean the correct answer is NO?

    They cannot continue to log into SSMS indefinitely.

  • M&M

    SSC-Insane

    Points: 21679

    Thanks, good question 🙂

    M&M

  • ziangij

    SSCertifiable

    Points: 6569

    thanks for the good question.

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic. Login to reply