(Msg. 1) Posted: Mon Aug 25, 2008 9:17 pm
Post subject: account disabled & password expired problem Archived from groups: microsoft>public>win2000>active_directory (more info?)
Hello,
in my windows 2000 AD domain, I have several user accounts. The problem
is when the user is already logged on. After the user was successfully
authorized, when password expires, or when I disable the user account,
it behaves the same, the domain controller still authorizes the user for
access to windows 2000 resources, drives and shares. On the other hand,
the WinNT4 in the domain do not allow the user to access its resources,
saying that the account was disabled or locked out.
Is there a way to set the same for win2k resources? I was thinking it
is the group policy settings, which NT4 ignores, but i could not find
it.
(Msg. 2) Posted: Mon Aug 25, 2008 9:17 pm
Post subject: Re: account disabled & password expired problem [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
the difference is authentication mechanism. The access in w2k/w2k3 stops as
soon as the kerberos ticket(s) expire.
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"jan.supol" <jan.supol.3epifc.TakeThisOut@DoNotSpam.com> wrote in message
news:jan.supol.3epifc@DoNotSpam.com...
>
> Hello,
> in my windows 2000 AD domain, I have several user accounts. The problem
> is when the user is already logged on. After the user was successfully
> authorized, when password expires, or when I disable the user account,
> it behaves the same, the domain controller still authorizes the user for
> access to windows 2000 resources, drives and shares. On the other hand,
> the WinNT4 in the domain do not allow the user to access its resources,
> saying that the account was disabled or locked out.
>
> Is there a way to set the same for win2k resources? I was thinking it
> is the group policy settings, which NT4 ignores, but i could not find
> it.
>
> Thank you for help.
> Jan
>
>
> --
> jan.supol
> ------------------------------------------------------------------------
> jan.supol's Profile: http://forums.techarena.in/members/jan-supol.htm > View this thread:
> http://forums.techarena.in/windows-2000-active-directory/1026581.htm >
> http://forums.techarena.in >
(Msg. 3) Posted: Tue Aug 26, 2008 2:39 pm
Post subject: Re: account disabled & password expired problem [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Thank you for the reply. The TGT timeout was my first idea. However, I
am under the impression that when aquiring a new session ticket, which I
need for every new resource, I ask a DC with my TGT for the session
ticket. Thus, my question should be:
How do I set the DC to check the disabled account (or the password
timeout) of the user, even though the TGT is valid, when asking for the
session ticket?
Or
Can I set the use of NTLM authenication for member servers in group
policy?
(Msg. 4) Posted: Tue Aug 26, 2008 2:39 pm
Post subject: Re: account disabled & password expired problem [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Howdie!
jan.supol wrote:
> How do I set the DC to check the disabled account (or the password
> timeout) of the user, even though the TGT is valid, when asking for the
> session ticket?
You can't. Once the user has a valid TGT, the user can use it until it
expires and he/she therefore needs to acquire a new TGT from a DC. The
idea of "authentication" changed from NT4 to 200x-AD. Whereas in NT4
every access to resources involved a PDC/BDC request afaik, we have
kerberos to decrease the DC involvement here.
> Can I set the use of NTLM authenication for member servers in group
> policy?
Depending on how you access those resources, NTLM is used - if I recall
correctly, using the ip address instead of the server name was one of
the methods for forcing the system to use NTLM.
To achieve your goal -- what about decreasing the life time of a TGT and
therefore forcing the systems to more often acquire a new TGT?
(Msg. 5) Posted: Tue Aug 26, 2008 6:56 pm
Post subject: Re: account disabled & password expired problem [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Thank you for the answer, which is, unfortunattely a bad news. The thing
is to immediately disallow access for a user who became fired
instantly....and after migrating to AD domain, the thing is not so easy.
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other