- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-07-2016 02:06 PM
Is there a way to stop disabled AD computer accounts from connecting to GP? We have a HIP profile attached to the GP rules which force the user to be compliant (ie. member of domain and have AntiVirus). however, when we disable their computer account, they are still able to connect. We can stop them from connecting by removing their user account from the allowed AD group however, we dont disable user accounts as much as we do computer accts.
04-07-2016 02:37 PM
You authenticate based on user credentials?
Maybe you add second factor - computer certificate that you roll out from AD.
04-08-2016 06:29 AM
Yes, we authenticate based on user creds.
maybe we could user certs..hmmm
04-08-2016 06:42 AM - edited 04-08-2016 06:43 AM
Yes you can.
AD cert service will enroll user certs to all users.
And GP can authenticate based on cert, username/password or both.
04-08-2016 06:58 AM
ok so if we base on cert and the machine become disabled in AD, we can revoke the cert and eliminate users from connecting?
04-08-2016 07:58 AM
Yes.
Or modify this powershell a bit to check disabled computer accounts instead of user accounts and schedule it to run every now and then to disable certificates automatically.
http://mikepfeiffer.net/2013/04/restricting-access-to-lync-for-disabled-active-directory-users/
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

