Solved

User account Disabled... Still logged in... Still have full access on the network...

Posted on 2008-10-13
5
585 Views
Last Modified: 2012-05-05
This morning I disabled a user.

I pass by his office later today... he's at his desk working like there was no problems.

I look at his account and it's really disabled... hmmmm...

Did a test... I asked a collegue to disable my account while I'm logged in... GUESS WHAT ?!?!?! I STILL HAVE FULL ACCESS EVERYWHERE ?!?!?!?! And I can even send emails without troubles... Is it normal... am I missing a point somewhere here ?!?! User still logged in... ok no problem... but still have full access on the network ???

What the hell is Microsoft thinking ?!?!  It's been 15 minutes now that my account has been disabled... and I still can browse the network...

It's not a question of Replication I did check on both of my DCs and my account IS disabled...

Help me here... I need to understand the logic behind that...
0
Comment
Question by:psytor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 7

Accepted Solution

by:
johnny_the_knife earned 500 total points
ID: 22701232
I suspect the account will remain valid until the user logs off or his Kerberos token expires.
0
 

Author Comment

by:psytor
ID: 22701239
Where can you check the Kerberos token Expiration ?
0
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22701328
Hi psytor,

The user will still be able to work if you don't disable the account on the DC that he's authenticating to.

If the user is still actively working and you disabled the account, then you can just right-click the user account as reset the password. This will force the user to logoff.


Hope this helps.

Cheers.
0
 

Author Comment

by:psytor
ID: 22701347
Hi JoWickerman,

Thanks for your quick reply.

The account was disabled on all DCs. (I confirmed)

And I was still able to access all the ressources... Network drive my email...

For sure once I logged off nothing was accessible... but I mean. This is totally ridiculous from Microsoft isn't it ?!?

Thanks for the hint with the password change tho
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22703678
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question