https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76062#M42152 <P>ok so if we base on cert and the machine become disabled in AD, we can revoke the cert and eliminate users from connecting?</P> Fri, 08 Apr 2016 13:58:02 GMT rrau 2016-04-08T13:58:02Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76020#M42139 <P>Is there a way to stop disabled AD computer accounts from connecting to GP? &nbsp;We have a HIP profile attached to the GP rules which force the user to be compliant (ie. member of domain and have AntiVirus). &nbsp;however, when we disable their computer account, they are still able to connect. &nbsp;We can stop them from connecting by removing their user account from the allowed AD group however, we dont disable user accounts as much as we do computer accts.</P> Thu, 07 Apr 2016 21:06:00 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76020#M42139 rrau 2016-04-07T21:06:00Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76023#M42141 <P>You authenticate based on user credentials?</P> <P>Maybe you add second factor - computer certificate that you roll out from AD.</P> Thu, 07 Apr 2016 21:37:46 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76023#M42141 Raido_Rattameister 2016-04-07T21:37:46Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76060#M42150 <P>Yes, we authenticate based on user creds.</P> <P>maybe we could user certs..hmmm</P> Fri, 08 Apr 2016 13:29:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76060#M42150 rrau 2016-04-08T13:29:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76061#M42151 <P>Yes you can.</P> <P>AD cert service will enroll user certs to all users.</P> <P>And GP can authenticate based on cert, username/password or both.</P> Fri, 08 Apr 2016 13:43:15 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76061#M42151 Raido_Rattameister 2016-04-08T13:43:15Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76062#M42152 <P>ok so if we base on cert and the machine become disabled in AD, we can revoke the cert and eliminate users from connecting?</P> Fri, 08 Apr 2016 13:58:02 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76062#M42152 rrau 2016-04-08T13:58:02Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76067#M42156 <P>Yes.</P> <P>Or modify this powershell a bit to check disabled computer accounts instead of user accounts and schedule it to run every now and then to disable certificates automatically.</P> <P><A href="http://mikepfeiffer.net/2013/04/restricting-access-to-lync-for-disabled-active-directory-users/" target="_self">http://mikepfeiffer.net/2013/04/restricting-access-to-lync-for-disabled-active-directory-users/</A></P> Fri, 08 Apr 2016 14:58:29 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-limitations/m-p/76067#M42156 Raido_Rattameister 2016-04-08T14:58:29Z