A user who is interactively logged on can continue to access network services (for example, remote file shares) after that user's account has been disabled.
You might expect this behavior if the Enforce Logon Restrictions
setting is disabled; however, you may experience this behavior even with the Enforce Logon Restrictions
This behavior can occur under the following conditions:
- The user already had a connection to the network service at the time the account was disabled. Disabling the account does not disconnect existing network service connections. (This also applies to Microsoft Windows NT 4.0.)
- The user already had a cached Kerberos "service ticket" for a network service, which allows the user to be authenticated and reconnect to the service until the ticket expires. The default ticket expiration time is 10 hours. In a default configuration, the user may have such a ticket if the user attempted to be authenticated with the service within the last 10 hours.
- The user already had a Kerberos "ticket granting ticket" (TGT), which allows the user to obtain service tickets. If the Enforce Logon Restrictions setting is enabled, the user can obtain service tickets for up to 20 minutes after the account is disabled. The exact time depends on how long replication of the account information takes to reach all domain controllers. If the Enforce Logon Restrictions setting is not enabled, the user can obtain service tickets until the TGT expires; the default expiration period is 10 hours.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
Microsoft has confirmed that this is a problem in Microsoft Windows 2000.
This problem was first corrected in Windows 2000 Service Pack 2.
Article ID: 274064 - Last Review: October 21, 2013 - Revision: 2.2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
|kbnosurvey kbarchive kbbug kbfix kbwin2000presp2fix KB274064|