Re: disable users while user is logged into the domain

Hello Ace Fekay [Microsoft Certified Trainer],

That article i read more and more before, but it does not state anything about "disabling" an account. It is about account "lockout". Or should i see that the same? But then the question raise for me why does in AD UC user properties shows that total different?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

In news:ff16fb661a2dc8cb625e96e7a6f4@xxxxxxxxxxxxxxxxxxxx, Meinolf
Weber [MVP-DS] <meiweb(nospam)>, posted the following:

Hello Dhruv,

Do you have a link where "disabling" an account falls under urgent

Hi Meinolf,

Actually, it does get replicated immediately. Please check the
following link for more information concerning urgent replication.

How the Active Directory Replication Model Works (Please click on
'Urgent Replication'):

(The following was quoted from the link above):
Events That Trigger Urgent Replication
Urgent Active Directory replication is always triggered by certain
events on
all domain controllers within the same site. When you have enabled
notification between sites, these triggering events also replicate
immediately between sites.
Between Windows Server 2003-based and Windows 2000-based domain
in the same site, immediate notification is caused by the following
Assigning an account lockout, which a domain controller performs to
a user from logging on after a certain number of failed attempts.
Changing the account lockout policy.
Changing the domain password policy.
Changing a Local Security Authority (LSA) secret, which is a secure
form in
which private data is stored by the LSA (for example, the password for
trust relationship).
Changing the password on a domain controller computer account.
Changing the relative identifier (known as a "RID") master role owner,
is the single domain controller in a domain that assigns relative
identifiers to all domain controllers in that domain
Urgent Replication of Account Lockout Changes
Account lockout is a security feature that sets a limit on the number
failed authentication attempts that are allowed before the account is
"locked out" from a further attempt to log on, in addition to a time
for how long the lockout is in effect.
The PDC emulator receives urgent replication of account lockouts. In
Active Directory domains, a single domain controller in each domain
holds the role of PDC emulator, which simulates the behavior of a
Windows NT version 3.x-based or Windows NT 4.0-based PDC. In Windows
NT domains, the only domain controller that can accept updates is the
PDC. If authentication fails at a BDC, the authentication request is
passed immediately to the PDC, which is guaranteed to have the current

An account lockout is urgently replicated to the PDC emulator and is
urgently replicated to the following:
Domain controllers in the same domain that are located in the same
site as
the PDC emulator.
Domain controllers in the same domain that are located in the same
site as
the domain controller that handled the account lockout.
Domain controllers in the same domain that are located in sites that
been configured to allow change notification between sites (and,
urgent replication) with the site that contains the PDC emulator or
with the
site where the account lockout was handled. These sites include any
that is included in the same site link as the site that contains the
emulator or in the same site link as the site that contains the domain
controller that handled the account lockout.
In addition, when authentication fails at a domain controller other
than the
PDC emulator, the authentication is retried at the PDC emulator. For
reason, the PDC emulator locks the account before the domain
controller that
handled the failed-password attempt if the bad-password-attempt
threshold is
I hope that helps.


This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft Certified
Trainer aceman@xxxxxxxxxxxxxxxxxxxxxxx

For urgent issues, you may want to contact Microsoft PSS directly.
Please check for regional support phone