Disable Windows Account For User Already Logged In

In AD, what's the behavior when a user account is disabled but still logged in?  Will the user still be able to access domain resources, e.g., files, Outlook etc until the user is logged off?
LVL 8
bsohn417Asked:
Who is Participating?
 
Lee IngallsDirector of IT/TS, Quality and FinanceCommented:
I've found in a MS Server 2008 r2 AD domain user account that has been disabled; the active login retains access to the resources until logged out. From the server you can close open files and disconnect or force logoff.

I just tested to verify... the Windows 7 Client logged into domain\test1 retained access to shares and mapped drives. After account had been disabled in the AD; the user stilled logged in, but no AD/network resources were available.
0
 
YoursJituCommented:
No system will not allow it to access.

When your account is even locked out and if you trying to access any of the shared drives or outlook or trying to execute any active directory users and computers window you will get the error message. System may allow you to log on to the system due to cached password but resources which are online like outlook or file share will not work.
0
 
McKnifeCommented:
If I am not completely mistaken, this is what the Kerberos ticket lifetime is about. He will have access until his ticket expires.
Ticket lifetime can be adjusted, but not after he got it.
0
 
McKnifeCommented:
Oh, and even when his ticket expires, he will still be able to access resources he was on in this session. But he won't be able to connect to new resources.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.