Originally Posted by markt
I have a client that I need to make sure that remote internet connections are not possible, and maybe change passwords.
The computers on the physical network still need to connect to the server.
How do you configure that?
Reason is an employee just got canned, and he wants to make sure she can't mess with his stuff.
Open Active Directory Users and Computers
under Administrative Tools.
Located the user account in question.
Right-click user account and Reset Password
. Usually, I open up Notepad as well, and just smash the keyboard a bunch of time to generate a random password, such as: UIODSTYHI&*q43y57843ywe6 8943tr5
, and then copy and paste this into the Reset password box
Double-click user account, select the Member Of
tab, take a screenshot of the groups the user is a member of, save screenshot somewhere, and then remove the user from all the groups except maybe the basic Primary Group listed below.
Finally, you should move the specified user account to another Organizational Unit (OU) within the Active Directory. I normally have an OU called Disabled Users
or Former Employees
After a certain amount of time, you would then disable the user account and either reject email addressed to her, or move her SMTP address to another user / manager.
If the user had access to any account with Administrator-level privileges, then you would need to reset those passwords as well, but doing so can muck with your server really badly if you don't do it properly, since there may be programs and or services that rely on the old credentials.
You should check the services (Start | Run | Services.msc), and check the "Log On As" column to see what services rely on which accounts.
Generally, you should not
be giving out the domain administrator account or any other administrator account to any user to use. You should modify the user's AD account with the appropriate group memberships.
Which version of SBS are you running, btw?