the difference is authentication mechanism. The access in w2k/w2k3 stops as
soon as the kerberos ticket(s) expire.

more info about kerberos & ntlm:
http://blogs.dirteam.com/blogs/jorge...-easy-way.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"jan.supol" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Hello,
> in my windows 2000 AD domain, I have several user accounts. The problem
> is when the user is already logged on. After the user was successfully
> authorized, when password expires, or when I disable the user account,
> it behaves the same, the domain controller still authorizes the user for
> access to windows 2000 resources, drives and shares. On the other hand,
> the WinNT4 in the domain do not allow the user to access its resources,
> saying that the account was disabled or locked out.
>
> Is there a way to set the same for win2k resources? I was thinking it
> is the group policy settings, which NT4 ignores, but i could not find
> it.
>
> Thank you for help.
> Jan
>
>
> --
> jan.supol
> ------------------------------------------------------------------------
> jan.supol's Profile: http://forums.techarena.in/members/jan-supol.htm
> View this thread:
> http://forums.techarena.in/windows-2...ry/1026581.htm
>
> http://forums.techarena.in
>

Howdie!

jan.supol wrote:
> How do I set the DC to check the disabled account (or the password
> timeout) of the user, even though the TGT is valid, when asking for the
> session ticket?

You can't. Once the user has a valid TGT, the user can use it until it
expires and he/she therefore needs to acquire a new TGT from a DC. The
idea of "authentication" changed from NT4 to 200x-AD. Whereas in NT4
every access to resources involved a PDC/BDC request afaik, we have
kerberos to decrease the DC involvement here.

> Can I set the use of NTLM authenication for member servers in group
> policy?

Depending on how you access those resources, NTLM is used - if I recall
correctly, using the ip address instead of the server name was one of
the methods for forcing the system to use NTLM.

To achieve your goal -- what about decreasing the life time of a TGT and
therefore forcing the systems to more often acquire a new TGT?

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste