April 21, 2011 at 9:57 pm
Comments posted to this topic are about the item Running SSMS after AD account is disabled
April 22, 2011 at 1:00 am
Nice question to end the week, but some references would have been great.
Need an answer? No, you need a question
My blog at https://sqlkover.com.
MCSE Business Intelligence - Microsoft Data Platform MVP
April 22, 2011 at 1:10 am
Great question! Something every administrator needs to think about. Thank-you, and have a great week-end ahead.
Thanks & Regards,
Nakul Vachhrajani.
http://nakulvachhrajani.com
Follow me on
Twitter: @sqltwins
April 22, 2011 at 1:20 am
In addition, the administrator should disable in AD and kill all disabled-user's connections.
April 22, 2011 at 1:35 am
Good Question for Administrators...keep this like posts for the DBAS
April 22, 2011 at 3:21 am
Additionally, when terminated, the employees are escorted out by security. Their personal items will be mailed to them.
There is too much risk for sabotage when letting an employee roam around the campus after being terminated.
April 22, 2011 at 7:52 am
Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)
The Redneck DBA
April 22, 2011 at 10:13 am
Jason Shadonix (4/22/2011)
Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)
If they are getting access through membership in an AD group, you may not want to disable the group's acces and affect others in the group.
This did make me curious if the user would be able to open a new query window or only execute queries in windows that are already open.
April 22, 2011 at 10:14 am
Jason Shadonix (4/22/2011)
Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)
If that user's account has been added as a login individually - then yes. If not, would you add that user to then disable it (just in case that person is in a group that has been granted access?
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
April 22, 2011 at 10:14 am
BTW - great question.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
April 22, 2011 at 10:21 am
Ah well, I got that wrong. I thought MS would (by the time Windows 2003 Server was released) have been aware that leaving a hole like that would be bad for their already poor security reputation (that they were trying very hard to repair) and done something like automatically killing connections when a user account was disabled. I also though Kerberos tickest expired much faster than that by default - they certainly were much shorter lived on the servers we installed on our customers' sites, that was clear from logged authentication data (I'm assuming the expiry was a small multiple of the refresh(reauthenticate) rate, as that's standard security engineering practise). I guess we must have overridden the default during installation - we did quite a lot of things with group policy, I guess that was one of them.
edit: I forgot to mention that it's a good question.
Tom
April 22, 2011 at 11:44 am
Doesn't the fact the, "Kerberos ticket expiration" mean the correct answer is NO?
They cannot continue to log into SSMS indefinitely.
April 23, 2011 at 12:28 am
Thanks, good question 🙂
M&M
April 25, 2011 at 2:32 am
thanks for the good question.
Viewing 15 posts - 1 through 15 (of 19 total)
You must be logged in to reply to this topic. Login to reply