Re: disable users while user is logged into the domain
- From: "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname@xxxxxxxxxxx>
- Date: Sat, 21 Feb 2009 22:37:16 -0500
In news:ff16fb661a2dc8cb625e96e7a6f4@xxxxxxxxxxxxxxxxxxxx,
Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>, posted the following:
Hello Dhruv,
Do you have a link where "disabling" an account falls under urgent
replciation?
Hi Meinolf,
Actually, it does get replicated immediately. Please check the following link for more information concerning urgent replication.
How the Active Directory Replication Model Works (Please click on 'Urgent Replication'):
http://technet.microsoft.com/en-us/library/cc772726.aspx#w2k3tr_repup_how_huzs
(The following was quoted from the link above):
Events That Trigger Urgent Replication
Urgent Active Directory replication is always triggered by certain events on all domain controllers within the same site. When you have enabled change notification between sites, these triggering events also replicate immediately between sites.
Between Windows Server 2003-based and Windows 2000-based domain controllers in the same site, immediate notification is caused by the following events:
Assigning an account lockout, which a domain controller performs to prohibit a user from logging on after a certain number of failed attempts.
Changing the account lockout policy.
Changing the domain password policy.
Changing a Local Security Authority (LSA) secret, which is a secure form in which private data is stored by the LSA (for example, the password for a trust relationship).
Changing the password on a domain controller computer account.
Changing the relative identifier (known as a "RID") master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain
Urgent Replication of Account Lockout Changes
Account lockout is a security feature that sets a limit on the number of failed authentication attempts that are allowed before the account is "locked out" from a further attempt to log on, in addition to a time limit for how long the lockout is in effect.
The PDC emulator receives urgent replication of account lockouts. In Active Directory domains, a single domain controller in each domain holds the role of PDC emulator, which simulates the behavior of a Windows NT version 3.x-based or Windows NT 4.0-based PDC. In Windows NT domains, the only domain controller that can accept updates is the PDC. If authentication fails at a BDC, the authentication request is passed immediately to the PDC, which is guaranteed to have the current password.
An account lockout is urgently replicated to the PDC emulator and is then urgently replicated to the following:
Domain controllers in the same domain that are located in the same site as the PDC emulator.
Domain controllers in the same domain that are located in the same site as the domain controller that handled the account lockout.
Domain controllers in the same domain that are located in sites that have been configured to allow change notification between sites (and, therefore, urgent replication) with the site that contains the PDC emulator or with the site where the account lockout was handled. These sites include any site that is included in the same site link as the site that contains the PDC emulator or in the same site link as the site that contains the domain controller that handled the account lockout.
In addition, when authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator. For this reason, the PDC emulator locks the account before the domain controller that handled the failed-password attempt if the bad-password-attempt threshold is reached.
I hope that helps.
Cheers!
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
.
- Follow-Ups:
- Re: disable users while user is logged into the domain
- From: Meinolf Weber [MVP-DS]
- Re: disable users while user is logged into the domain
- References:
- Re: disable users while user is logged into the domain
- From: Dhruv raj
- Re: disable users while user is logged into the domain
- From: Meinolf Weber [MVP-DS]
- Re: disable users while user is logged into the domain
- Prev by Date: Re: Profile corruption
- Next by Date: Re: Create account called network
- Previous by thread: Re: disable users while user is logged into the domain
- Next by thread: Re: disable users while user is logged into the domain
- Index(es):
Relevant Pages
|
