This article was previously published under Q274064
This article has been archived. It is offered "as is" and will no longer be updated.
A user who is interactively logged on can continue to access network services (for example, remote file shares) after that user's account has been disabled.
You might expect this behavior if the Enforce Logon Restrictions setting is disabled; however, you may experience this behavior even with the Enforce Logon Restrictions setting enabled.
This behavior can occur under the following conditions:
The user already had a connection to the network service at the time the account was disabled. Disabling the account does not disconnect existing network service connections. (This also applies to Microsoft Windows NT 4.0.)
The user already had a cached Kerberos "service ticket" for a network service, which allows the user to be authenticated and reconnect to the service until the ticket expires. The default ticket expiration time is 10 hours. In a default configuration, the user may have such a ticket if the user attempted to be authenticated with the service within the last 10 hours.
The user already had a Kerberos "ticket granting ticket" (TGT), which allows the user to obtain service tickets. If the Enforce Logon Restrictions setting is enabled, the user can obtain service tickets for up to 20 minutes after the account is disabled. The exact time depends on how long replication of the account information takes to reach all domain controllers. If the Enforce Logon Restrictions setting is not enabled, the user can obtain service tickets until the TGT expires; the default expiration period is 10 hours.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 2.