Running SSMS after AD account is disabled

  • Comments posted to this topic are about the item Running SSMS after AD account is disabled

  • Nice question to end the week, but some references would have been great.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • Great question! Something every administrator needs to think about. Thank-you, and have a great week-end ahead.

    Thanks & Regards,
    Nakul Vachhrajani.
    http://nakulvachhrajani.com

    Follow me on
    Twitter: @sqltwins

  • In addition, the administrator should disable in AD and kill all disabled-user's connections.

  • Good Question for Administrators...keep this like posts for the DBAS

  • Additionally, when terminated, the employees are escorted out by security. Their personal items will be mailed to them.

    There is too much risk for sabotage when letting an employee roam around the campus after being terminated.

  • Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)

    The Redneck DBA

  • Jason Shadonix (4/22/2011)


    Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)

    If they are getting access through membership in an AD group, you may not want to disable the group's acces and affect others in the group.

    This did make me curious if the user would be able to open a new query window or only execute queries in windows that are already open.

  • Jason Shadonix (4/22/2011)


    Shouldn't you also disable the user in SQL? (making sure you aren't dropping the only sysadmin)

    If that user's account has been added as a login individually - then yes. If not, would you add that user to then disable it (just in case that person is in a group that has been granted access?

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • BTW - great question.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Ah well, I got that wrong. I thought MS would (by the time Windows 2003 Server was released) have been aware that leaving a hole like that would be bad for their already poor security reputation (that they were trying very hard to repair) and done something like automatically killing connections when a user account was disabled. I also though Kerberos tickest expired much faster than that by default - they certainly were much shorter lived on the servers we installed on our customers' sites, that was clear from logged authentication data (I'm assuming the expiry was a small multiple of the refresh(reauthenticate) rate, as that's standard security engineering practise). I guess we must have overridden the default during installation - we did quite a lot of things with group policy, I guess that was one of them.

    edit: I forgot to mention that it's a good question.

    Tom

  • Koen Verbeeck (4/22/2011)


    Nice question to end the week, but some references would have been great.

    IN case you haven't already found it, this documents default ticket life (10 hours).

    Tom

  • Doesn't the fact the, "Kerberos ticket expiration" mean the correct answer is NO?

    They cannot continue to log into SSMS indefinitely.

  • Thanks, good question 🙂

    M&M

  • thanks for the good question.

Viewing 15 posts - 1 through 15 (of 19 total)

You must be logged in to reply to this topic. Login to reply