Re: Expired Account
- From: "Don Wilwol" <donWilwol@(EMAIL)yahoo.com>
- Date: Sun, 28 Aug 2005 15:46:31 -0400
An account that is locked out may still be able to gain access to some
resources if the user has a valid Kerberos ticket to the resource. The
ability to access the resource ends when the Kerberos ticket expires.
However, neither a user who is locked out nor a computer account can renew
the ticket. Kerberos cannot grant a new ticket to the resource because the
account is locked out. The default is 10 hours.
to see yours go to Start/Programs/Administrative Tools/Domain Controller
Security Policy. Open Security Settings, open Account Policies, and then
open Kerberos Policy. The Kerberos policy is set at the domain level and is
stored in the Active Directory.
--
Hope it helps
dw
_______________________________
Don Wilwol
donwilwol(DELETE)@yahoo.com
http://spaces.msn.com/members/wilwol/
"Ed Krimmer" <ed_krimmer@xxxxxxxxxxxxx> wrote in message
news:uO0aPTArFHA.2064@xxxxxxxxxxxxxxxxxxxxxxx
> Ok that all makes sense. Thank you. Plenty of time passed to allow for
> replication so that isn't the issue. Would you expect the user to be able
> to read Exchange mail in any way? As I stated they have a Blackberry that
> wasn't as yet unassigned from their mailbox (even thought the account was
> expired)
>
> "Dmitry Korolyov [MVP]" <d__k@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:%23d$C$NArFHA.4044@xxxxxxxxxxxxxxxxxxxxxxx
>> When you disable a user account, it cannot be used for logging in
>> immediately.
>> When you set it to expire after a certain date, it cannot be used for
>> logging in after that date.
>> In both cases, the users attempting to log in will see appropriate
>> messages describing why they are unable to log in.
>>
>> If the user is currently logged in, however, and then you set their
>> account to Disabled, or their account expires, then depending on the
>> configuration and your network topology, DC placement and some other
>> factors, some time will pass before they actually will not be able to use
>> their account.
>>
>> --
>> Dmitry Korolyov [d__k@xxxxxxxxxxxxxxxxxxxxxx]
>> MVP: Windows Server - Directory Services
>>
>>
>> "Ed Krimmer" <ed_krimmer@xxxxxxxxxxxxx> wrote in message
>> news:%23XN2Lx$qFHA.2604@xxxxxxxxxxxxxxxxxxxxxxx
>>> Can anyone explain exactly what the difference is between an "Expired"
>>> AD account and a Disabled one? I realize "Disabled" is more severe but
>>> what happens when the account expires?
>>>
>>> I have a user that was leaving the company. I was asked to "remove" him
>>> at the end of Friday. I set his AD account to expire at the end of the
>>> day. I have evidence (a "Read receipt") that mail sent to the user's
>>> Exchange account was opened the following morning. The user has a
>>> Blackberry - could that account for it?
>>>
>>> Thanks for any thoughts,
>>> Ed
>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Expired Account
- From: Ed Krimmer
- Re: Expired Account
- From: Dmitry Korolyov [MVP]
- Re: Expired Account
- From: Ed Krimmer
- Expired Account
- Prev by Date: Re: Expired Account
- Next by Date: Re: Expired Account
- Previous by thread: Re: Expired Account
- Next by thread: Re: Expired Account
- Index(es):
Relevant Pages
|
