Change password/disable account - password cached?

[gbug]

Hi all, recently had a situation where an employee was dismissed and asked to
leave on the spot. I was aware of this, and changed the password of the
account, and then disabled the account. On their way out, this person passed
their workstation, logged onto their pc WITH their old password, and then
sucessfully sent out an email to someone. I would have thought that because
the password was changed, the exchange server should not let it send as
authentication should not occur.
Can someone please explain to me why this user was a)denied logon access to
their pc, and b) why they could still send an email out.
Also - what are best practices surrounding this? What do others do in this
situation?
Cheers!

[Lanwench [MVP - Exchange]]

gbug <gbug@discussions.microsoft.com> wrote:
> Hi all, recently had a situation where an employee was dismissed and
> asked to leave on the spot. I was aware of this, and changed the
> password of the account, and then disabled the account. On their way
> out, this person passed their workstation, logged onto their pc WITH
> their old password, and then sucessfully sent out an email to
> someone. I would have thought that because the password was changed,
> the exchange server should not let it send as authentication should
> not occur.
> Can someone please explain to me why this user was a)denied logon
> access to their pc, and b) why they could still send an email out.
> Also - what are best practices surrounding this? What do others do in
> this situation?
> Cheers!

Are you sure they weren't still logged in? Your change won't take effect
until they log out/in again.

If not - how many DCs do you have? Could be that replication hadn't
completed yet.

The only other thing I can think of is that they'd still be able to log in
using cached credentials (if they unplugged the network cable) - but then
they wouldn't be able to do anything on the network (even if they
reconnected it).

Best practices dictate escorting the recently fired party out of the
building if it's a concern. You can also disable their account rather than
just changing the password, even if it's just temporarily.

[Paul Bergson [MVP-DS]]

They must have been logged on at the machine they sat down at.

A better question would be why would you (Or anyone else) allow this
individual to use a company asset after they were asked to leave? A simple
no would probably have worked. I would think you should check the e-mail
that was sent out to verify some other password secrets weren't sent to
someone within the organization.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"gbug" <gbug@discussions.microsoft.com> wrote in message
news:0BE1CB04-C9E9-4745-B4C3-FC7E93C42E4C@microsoft.com...
> Hi all, recently had a situation where an employee was dismissed and asked
> to
> leave on the spot. I was aware of this, and changed the password of the
> account, and then disabled the account. On their way out, this person
> passed
> their workstation, logged onto their pc WITH their old password, and then
> sucessfully sent out an email to someone. I would have thought that
> because
> the password was changed, the exchange server should not let it send as
> authentication should not occur.
> Can someone please explain to me why this user was a)denied logon access
> to
> their pc, and b) why they could still send an email out.
> Also - what are best practices surrounding this? What do others do in this
> situation?
> Cheers!

[gbug]

The account was locked out.....
However, the workstation was still logged onto by the user. Im still
confused as to why they would have been able to send an email out if their
account couldnt authenticate properly (due to password change) unless the DC
that the exchange server talked to hadnt received the update to the account.
In future the machine should be logged out also.
Thanks.

"Lanwench [MVP - Exchange]" wrote:

> gbug <gbug@discussions.microsoft.com> wrote:
> > Hi all, recently had a situation where an employee was dismissed and
> > asked to leave on the spot. I was aware of this, and changed the
> > password of the account, and then disabled the account. On their way
> > out, this person passed their workstation, logged onto their pc WITH
> > their old password, and then sucessfully sent out an email to
> > someone. I would have thought that because the password was changed,
> > the exchange server should not let it send as authentication should
> > not occur.
> > Can someone please explain to me why this user was a)denied logon
> > access to their pc, and b) why they could still send an email out.
> > Also - what are best practices surrounding this? What do others do in
> > this situation?
> > Cheers!
>
> Are you sure they weren't still logged in? Your change won't take effect
> until they log out/in again.
>
> If not - how many DCs do you have? Could be that replication hadn't
> completed yet.
>
> The only other thing I can think of is that they'd still be able to log in
> using cached credentials (if they unplugged the network cable) - but then
> they wouldn't be able to do anything on the network (even if they
> reconnected it).
>
> Best practices dictate escorting the recently fired party out of the
> building if it's a concern. You can also disable their account rather than
> just changing the password, even if it's just temporarily.
>
>
>