Re: Disable an ADAM account, but it is still can logon

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 00:34:06 -0700

One observation: ADSI caches connections based on creds. An authenticated
connection will be authenticated forever, until it is disconnected. If you
release all of your ADSI objects, then it also closes the connection, and
will reopen it the next time it needs to do an ldap query. 

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:eDUT#GP#EHA.2600@TK2MSFTNGP09.phx.gbl...
> Hi
> inline below...
>
> "Microsoft" <yujun168@hotmail.com> wrote in message
> news:ObhWMlL%23EHA.3368@TK2MSFTNGP10.phx.gbl...
> >I am working  in ADAM application, currently we find some strange things
> >when we try to disable an ADAM account, after we disable an ADAM account,
> >and we find it is still activity. We must restart our program, this
account
> >will been disable, and can't logon using this account. We try to refresh
> >cache, it is useless.
>
> If I understand that, you are saying that if an ADAM user has successfully
> authenticated to the ADAM instance then their access continues even if you
> disable (set msDS-UserAccountDisabled TRUE) during that session. If
> they disconnect then subsequent attempts to reconnect fail?
>
> I think that is expected behavior as the access token for the user will
> generated
> when the user binds and their account status is only checked at that
point.
> So
> if the user binds OK on a given session their access persists for that
> session.
>
> > The other issue, we can't change an ADAM account's password when logon
> > using an ADAM account. The error message is: "directory property not
found
> > in cache". But we can change an ADAM account's password using Domain
> > Account.
>
> How are you attempting the password operation? Please say which tool or
post
> your
> code.
>
> Thanks
> Lee Flight
>
>

Relevant Pages

  • Re: Modify UserPassword attribute in ADAM
    ... I try to do it for my test> adam ... With>> default settings we require that you perform password operations over a>> secure channel. ... >> 0) Perform over SSL connection ... >>> account and have join this accont to administrators group ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... credentials instead of a fixed service account. ... it is a special LDAP control supported by AD and ADAM ... If I couldn't make it work for WAB, ... credentials in the WAB settings in order to authenticate. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... To use a domain user account as the ADAM service account for SSL communication, I have to request server authentication certificate using that account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... If I couldn't make it work for WAB, ... I knew I had a good reason to move to the R2 ADAM. ... credentials in the WAB settings in order to authenticate. ... account, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... If I couldn't make it work for WAB, ... each account - avoiding the incredibly difficult process described in the ... I knew I had a good reason to move to the R2 ADAM. ... the current thread's credentials OR using specific credentials, ...
    (microsoft.public.windows.server.active_directory)
Loading