Disable User Account Remotely

Question

I work for a highly distributed IT based consulting firm with approximately 150 users in the field at different client sites at any given time. As we have grown we have needed to ability to disable a user access to a company laptop remotely. Is there something out there that will prevent that user from logging into his laptop once his account has been disabled in Active Directory. As it has been explained to me the answer is basically "Not until communication with the AD has been established." either via VPN or them coming to one of our main branches. Is this correct? Are there any third party applications that can facilitate this? I personally can't work out a situation where it's possible to do this without the minimum requirement of an active network connection.

FYI I will most certainly willing to be told this is impossible as I personally believe that it is. But management wants to option and I feel it necessary to check all options. — Xap, Aug 20 '09 at 16:42

score 4 · Answer 1 · answered Aug 20 '09 at 17:43

We have ran into this same problem with our remote, work at home staff when someone quits or is let go.

Our solution is to basically assume that since they have physical access to the laptop, there is no point in trying to disable their account remotely (a simple boot CD can give access to the hard drive again). Instead, we just remove all remote access to our network (VPN, AD accounts) so they can no longer access protected resources.

score 0 · Answer 2 · answered Aug 20 '09 at 16:44

We have had similar situations within our company.

You have basically two options:

wait for the local cache to expire, then the login will stop working. Takes a few days. There might even be a setting somewhere in the registry, but we have so far not bothered looking for it. Once that has happened, and there are no local user accounts (of which the user knows the password), the laptop/desktop effectively becomes useless to that person.
configure your VPN to start up as a service. In that case the VPN connection is established before the login screen comes up and the disabled account immediately results in a login failure. Once that has happened, the local cache is also in that status and you can then disable the VPN credentials.

Obviously, the second option does require a bit of preparation and your question sounds like you don't have that option.

Even forcing a VPN connection does not help as the person can disconnect their laptop from the network completely. — Doug Luxem, Aug 20 '09 at 17:48
I'm not sure what the timeframe on the local password cache expiring is, but it's definitely longer than a few days. — Carl C, Aug 20 '09 at 23:38

score 0 · Answer 3 · answered Aug 20 '09 at 17:48

0

You turn off password caching in windows completely, however this would require that they be able to access the network prior to logging in.

Turning off password caching..

answered Aug 20 '09 at 17:48

geeklin

528
2
10

score 0 · Answer 4 · answered Aug 20 '09 at 21:28

Install everything on an encrypted partition that must access a key over the network in an authenticated fashion which makes the partition readable. This of course would be complicated to do after the fact.

You can then revoke the authentication to this ey whenever, or just block that request.

score 0 · Answer 5 · answered Aug 20 '09 at 23:05

I'm guessing that the remote person needs to be denied access to company and/or client files as quickly as possible, which suggests something in the trust system has broken down. As these are IT consultants I would expect them to be aware of at least some of the many ways that they can get full access to the computer. If they cannot be trusted with the information on the computers I would suggest they also cannot be trusted to be good little boys and girls and not simply crack the system, which makes the entire exercise just a little pointless.

The Golden Rule of computer access: The person who has physical access to a computer potentially has access to what's on said computer. Encrypted drives are your only hope in such a circumstance.

And even encrypted drives can be beat, especially if the system had been successfully logged into. — K. Brian Kelley, Aug 21 '09 at 01:04

score 0 · Answer 6 · answered Aug 21 '09 at 01:08

The short answer is, "No." The reason is that without communication with some sort of interface on your side to tell the computer that there has been a change to the user's status, the computer doesn't know to perform the action. Even with that said, as John Gardeniers pointed out, if they have physical access, they can still potentially access the computer's contents. One of the rules of security from Microsoft's list is appropiate... (paraphrased) "If I have physical access to your computer, it's not your computer anymore."

One common technique, if the user has administrative rights, is simply to create a local user account. If they don't have admin rights, there are still some techniques to privilege escalate to an administrative level user and then the subsequent user account creation. Then all the other techniques of stopping access are bypassed. This illustrates that security principle.

Disable User Account Remotely

6 Answers6