Network Services Can Be Accessed After Account Is Disabled (274064)

SYMPTOMS

A user who is interactively logged on can continue to access network services (for example, remote file shares) after that user's account has been disabled.

You might expect this behavior if the Enforce Logon Restrictions setting is disabled; however, you may experience this behavior even with the Enforce Logon Restrictions setting enabled.

CAUSE

This behavior can occur under the following conditions:

The user already had a connection to the network service at the time the account was disabled. Disabling the account does not disconnect existing network service connections. (This also applies to Microsoft Windows NT 4.0.)
The user already had a cached Kerberos "service ticket" for a network service, which allows the user to be authenticated and reconnect to the service until the ticket expires. The default ticket expiration time is 10 hours. In a default configuration, the user may have such a ticket if the user attempted to be authenticated with the service within the last 10 hours.
The user already had a Kerberos "ticket granting ticket" (TGT), which allows the user to obtain service tickets. If the Enforce Logon Restrictions setting is enabled, the user can obtain service tickets for up to 20 minutes after the account is disabled. The exact time depends on how long replication of the account information takes to reach all domain controllers. If the Enforce Logon Restrictions setting is not enabled, the user can obtain service tickets until the TGT expires; the default expiration period is 10 hours.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Network Services Can Be Accessed After Account Is Disabled (274064)

SYMPTOMS

CAUSE

RESOLUTION

STATUS