Options
Password change replication question
Management has presented me with a scenario that my caffeine deprived brain can't seem to figure out so maybe someone could help me. In this scenario an IT manager is fired or quits suddenly (the old annoy the employee until he can't stand it and leaves disgruntled routine) and immediately attempts to change the domain admin password on a field server.
Presumably myself, or the other IT employee with admin rights is told of the departure and is asked to change the password to prevent him from sabotoging anything. Now if I were to change the password locally on a DC in the admin office at almost the same time as he changed the password on the field server and given that the field servers in some cases are on slow links and aren't direct replication partners with the admin server is it possible his password change could overwrite mine, given that replication of password change replication works as last write wins?
Presumably myself, or the other IT employee with admin rights is told of the departure and is asked to change the password to prevent him from sabotoging anything. Now if I were to change the password locally on a DC in the admin office at almost the same time as he changed the password on the field server and given that the field servers in some cases are on slow links and aren't direct replication partners with the admin server is it possible his password change could overwrite mine, given that replication of password change replication works as last write wins?
Comments
-
Options
unknown1234
Member Posts: 29 ■□□□□□□□□□
The later of the two will feel the affects. Hopefully you are not the one getting canned
-
Optionshanakuin
Member Posts: 144
1.) Hopefully company policy states that once an employee is terminated they must turn in keys/badges and security accompanies the termed employee as they clean out their office until they have left the premisis. Along with quick notification from HR so yuo can disable their user IDs and change the password on all admin accounts to be safe.
2.) Make sure there are multiple domain admins so one super user cannot lock up the system.
3.) Create a dc the either replicates extremely slowly or once a few days. You can disable the netlogon service on this dc to prevent replication at all and use it as a dr server. Make sure it is enabled to logon to the network and replicate every 30 days or so.
Just a few ideas to throw out there. -
Optionsmbeaven
Member Posts: 50 ■■□□□□□□□□
Thanks for the info. Actually I was not the one being canned but I'm thankfully not at that job anymore. I learned to do a more thorough job of interviewing the interviewer for my new position.
This scenario arose mainly due to the lack of policy at this company. And the fact that instead of going through proper channels to terminate the employee they want to make his life hell until he decides to quit. It makes for a very unpleasant experience, since I didn't know when he might react badly and what he might decide to do to the systems.
At any rate not my problem anymore and I hope I'm never in that situation again, I think I got a few ulcers out of the deal.