What happens if I disable an account while a user is logged in?

[Methodical]

win2k3 AD. What happens if I disable an account while a user is logged in?

What is the delay before they lose access to network resources? Do they have to logoff before it fully takes effect on their local computer?

 

[jeremyshaw]

They won't be forced offline.

The user will not be able to access any of the resources on the AD server, or any resources that have not had the login 'cached'.

I'm not too sure if this applies to 2003, as I am still using 2000advserv for my primary.

Good luck!

 

[sp1te]

Yea i have seen users that have full access until they logoff. i.e. access to mapped drives on the ad domain, e-mail pretty much everything.

This is on both 2003 AD and 2008, and I have also seen users that lose access to almost everything but local machine.

Id go with the worst case scenario, they have access until you force them to logoff.

 

[k1pp3r]

I believe it depends on how your permissions are setup doesn't it? If you remove all security group memberships they should not have access to network drives.

I have never tested this simply because by the time i get word to disable a use hey have turned off their PC and escorted them out of the building, they they mail their desk contents to them lol

 

[ND40oz]

I believe it depends on how your permissions are setup doesn't it? If you remove all security group memberships they should not have access to network drives.

I have never tested this simply because by the time i get word to disable a use hey have turned off their PC and escorted them out of the building, they they mail their desk contents to them lol

Doesn't matter if you remove them from the groups or not, it's if their credentials are still cached on that server. Until they have to reauthenticate, they'll still have access.

 

[gimp]

it would also depend on how many DCs they are, and how often they replicate.

similar issues can occur if a user changes their password via ctrl-alt-del and doesn't logoff and log back in with their new password; authentication can fail if the DC that the server communicates with has replicated from the DC that too the change.

 

[SpaceHonkey]

Until they get a new token, they will still have access. Upon login you request your token. Supposedly if you lock your screen (Window + L), you'll be forced to regrab your token. So until they log off, or lock their screen...

 

[da sponge]

Until they get a new token, they will still have access. Upon login you request your token. Supposedly if you lock your screen (Window + L), you'll be forced to regrab your token. So until they log off, or lock their screen...

Partially true - it'll also happen when the kerberos ticket expires.

http://technet.microsoft.com/en-us/library/cc961966.aspx