Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Microsoft)  >   Windows User Management Vendors:   Microsoft
Microsoft Windows 2000 Automatic Log Off Policy Fails to Expire Sessions in Progress
SecurityTracker Alert ID:  1003816
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 13 2002
Impact:   Host/resource access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in the Microsoft Windows 2000 automatic log off policy. A valid and authenticated user may not be automatically logged off when a time-based log off policy specifies the log off to occur.

It is reported that the "Automatically log off users when logon time expires" feature does not work properly in some situations. If a time-based policy is configured to deny logon during a certain time period and a user is logged in prior to the time period, the user account will not be denied access during the time period.

The specific test method used is described in the Source Message.

Impact:   A valid and authenticated user may not be automatically logged off when a time-based log off policy specifies that user logons should be denied.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (2000)
Underlying OS Comments:  SP2

Message History:   None.

 Source Message Contents

Subject:  "Automatically log off users when logon time expires" does not

While exploring the difference between "Automatically log off users when
logon time expires" and "Automatically log off users when logon time expires
(local)", my test results indicate this feature does not work at all on
Win2k sp2.  I have tried all combinations of these 2 policies on domain
controllers and member servers to no avail.  (If you are unfamiliar with the
difference between these 2 policies see the Group Policy reference in Win2k
Resource Kit and Q259576.)  My test method:  Enable both policies in Default
Domain Policy.  Make sure effective settings on DC and member server reflect
this.  Set Frank's AD account to be denied logon from 8AM-9AM on Monday.
Then set the DC and member server time to 7:57 AM and map a drive to the MS
and/or DC.  At 8:01 AM I can still access the shared folder(s).  If I delete
the connection and try to re-map I am refused.  So: new logons are rejected
as expected but existing connections are not dropped.  Has anyone observed
this feature working?

I make no warranties express or implied regarding the information in this
email or it attachments.  Use any suggestions, code or other information at
your own risk.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC