Disabling an account in AD isn't instant, but a lockout is.
tl;dr - Disabling an account in AD will replicate normally, which can give an attacker quite a bit of time :)
userAccountControl
BadLogonCount
exceeds some threshold ( Lockout-Threshold )lockoutTime
and Lockout-Duration
attributes on an account, and then is handled by immediate replication instead of “normal” replicationLastBadPasswordAttempt
Intra-site
msDS-Replication-Notify-First-DSA-Delay
and msDS-Replication-Notify-Subsequent-DSA-Delay
attributes configured on a siteInter-site
Exception - “Urgent Replication”
msDS-Replication-Notify-First-DSA-Delay
and msDS-Replication-Notify-Subsequent-DSA-Delay
attribute)Curiously, an account unlock is not immediate - so you can be waiting 180 minutes for an account lock to come into effect in a remote office.
You can change inter-site to replicate immediately with ‘Inter-Site change notification’, but I haven’t seen it deployed in any of the places I’ve checked - but perhaps it’s common elsewhere?
If an insider threat materialises (read: an attacker you had on payroll), disabling their account isn’t going to do much, almost to the point of they could drive to another remote office and still log in to steal a bunch of stuff.
This is completely ignoring that kerberos tickets for an account are going to last for hours, so if an attacker steals kerberos tickets, you’re going to be in grief for a few hours.
Also worth mentioning that if their machine is still logged in, and they didn’t lock their windows box - they’ve still got a machine they can use until other systems stop accepting kerberos credentials (i.e. sharepoint, where you’re keeping all the goodies)
Keeping that in mind, if you want to offboard your employees: