Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

How to restrict Disabled users from login

Created: 26 Oct 2012 | 7 comments

Hi,

We are using PGP Universal server 3.2 and configured WDE .

Multiple users login to the same system on shift basis.

In PGP Desktop we have created users who login to the respective systems.

Issue:

Even after disabling the user in Active Directory, if we try to login in to the system with the disabled username from PGP BootGuard , the system is booting and user is able to login.

Only after logoff, next time it is not allowing to login.

 Please let me know if we can clear cache for login or any other method to avoid logins from disabled users.

 

Thanks in advance.

 

 

 

Comments 7 CommentsJump to latest comment

Alex_CST's picture

You will need to decrease the time in which policy is refreshed.  Policy refreshes happen by default every 24 hours, or automatically when PGP Desktop starts - which is why after the next logoff they are no longer able to log in.

Depending on the size of the organisation, change the policy refresh accordingly, it can be set to as low as 5 minutes (off the top of my head)

 

 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Ajju's picture

I have configured the policy "Download policy updates from PGP Universal every 5 mins" but still we can login through deleted users and also it is taking more to time login.

vaibhav_jain1's picture

OK.I think i understand the problem here. PGP BG is using stored cache to login to the system. After you disable that user in the AD, it only gets updated the next time you login. You want this to be updated without logging off the system?

If that is correct, this is due Windows implementation of how it sync user credentials with the AD.  Although it shouldn't work, try gpupdate.

I'll get back to you with more on this.

 

 

 

Ajju's picture

Log-off  option is removed from users system as this one of the project requirement. Users can only shutdown systems.  

 

Alex_CST's picture

Just to confirm does it work if you run gpupdate /force ?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Ajju's picture

When we run gpupdate /force, the message will be displayed as press "ctrl-alt-del" in the task bar. 

If we press  "ctrl-alt-del" it works and user will not be able to login.  But nobody will follow this and as per compliance, this is not suggested.

lorainebell's picture

Oh! Thanks for the information. I thought you have to format the settings and refresh it.