Network Services Can Be Accessed After Account Is Disabled

Article ID: 274064 - View products that this article applies to.
This article was previously published under Q274064
Expand all | Collapse all

SYMPTOMS

A user who is interactively logged on can continue to access network services (for example, remote file shares) after that user's account has been disabled.

You might expect this behavior if the Enforce Logon Restrictions setting is disabled; however, you may experience this behavior even with the Enforce Logon Restrictions setting enabled.
Back to the top | Give Feedback

CAUSE

This behavior can occur under the following conditions:
  • The user already had a connection to the network service at the time the account was disabled. Disabling the account does not disconnect existing network service connections. (This also applies to Microsoft Windows NT 4.0.)
  • The user already had a cached Kerberos "service ticket" for a network service, which allows the user to be authenticated and reconnect to the service until the ticket expires. The default ticket expiration time is 10 hours. In a default configuration, the user may have such a ticket if the user attempted to be authenticated with the service within the last 10 hours.
  • The user already had a Kerberos "ticket granting ticket" (TGT), which allows the user to obtain service tickets. If the Enforce Logon Restrictions setting is enabled, the user can obtain service tickets for up to 20 minutes after the account is disabled. The exact time depends on how long replication of the account information takes to reach all domain controllers. If the Enforce Logon Restrictions setting is not enabled, the user can obtain service tickets until the TGT expires; the default expiration period is 10 hours.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/EN-US/ )
How to Obtain the Latest Windows 2000 Service Pack
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in Microsoft Windows 2000.
This problem was first corrected in Windows 2000 Service Pack 2.
Back to the top | Give Feedback

Properties

Article ID: 274064 - Last Review: February 19, 2007 - Revision: 2.2
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbbug kbfix kbwin2000presp2fix KB274064
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top