Network Services Can Be Accessed After Account Is Disabled

Article translations Article translations
Article ID: 274064 - View products that this article applies to.
This article was previously published under Q274064
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SYMPTOMS

A user who is interactively logged on can continue to access network services (for example, remote file shares) after that user's account has been disabled.

You might expect this behavior if the Enforce Logon Restrictions setting is disabled; however, you may experience this behavior even with the Enforce Logon Restrictions setting enabled.

CAUSE

This behavior can occur under the following conditions:
  • The user already had a connection to the network service at the time the account was disabled. Disabling the account does not disconnect existing network service connections. (This also applies to Microsoft Windows NT 4.0.)
  • The user already had a cached Kerberos "service ticket" for a network service, which allows the user to be authenticated and reconnect to the service until the ticket expires. The default ticket expiration time is 10 hours. In a default configuration, the user may have such a ticket if the user attempted to be authenticated with the service within the last 10 hours.
  • The user already had a Kerberos "ticket granting ticket" (TGT), which allows the user to obtain service tickets. If the Enforce Logon Restrictions setting is enabled, the user can obtain service tickets for up to 20 minutes after the account is disabled. The exact time depends on how long replication of the account information takes to reach all domain controllers. If the Enforce Logon Restrictions setting is not enabled, the user can obtain service tickets until the TGT expires; the default expiration period is 10 hours.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

STATUS

Microsoft has confirmed that this is a problem in Microsoft Windows 2000.
This problem was first corrected in Windows 2000 Service Pack 2.

Properties

Article ID: 274064 - Last Review: October 21, 2013 - Revision: 2.2
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbnosurvey kbarchive kbbug kbfix kbwin2000presp2fix KB274064

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com