Here is a quick one for today – we received a call from an executive that they are immediately and are in the process of terminating the employment of an employee. They wanted their account disabled. A junior technician disabled the account and was done. However, what caught the customer by surprise was that the user was still on their computer working – how could this be?
Basically Windows workstations cache the credentials and the only time it will try to authenticate is when it tries to use a network resource, at which point their network access will be denied. However, there is nothing you can do to a user account to prevent them from accessing their workstation if they are already logged on and/or are off the network. The only way to lock them out of their computer is to reboot the system or otherwise force them to authenticate to the domain controller. On that note, what about remote laptop users. Say it is a sales person with a desktop and a laptop. And they left the laptop at home, how do you prevent access? You can chose to disable cached credentials so they must always authenticate against the domain controller via a VPN or another method.