I have come across a strange feature (not sure I would call it a feature). In the netware world I am leaving, when an employee would be terminated, I would disable their account and that's it, they would go to their computer and their logion would be denied.
In the Windows/AD world I am moving to it seems they get one more login to the local workstation. I have tested and successfully logged in to a workstation after disabling the account in AD. Shortly after the desktop asks me to lock the workstation, and subsequent logins are denied, but for that 1st login I can do anything I want, including deleting files and such.Not on the server but definately locally.Since it worked on the users workstation, I'm guessing they could go to any computer in the domain they had logged into before and get one more shot on each desktop.
How do I stop this. How do I make it so they don't get one last login to the desktop?