>permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed >the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 >the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al]. I believe that in domain environments, where the "Enforce user logon restrictions" setting (Under Kerberos Policy) is enabled by default, this kind of thing is mitigated by forcing a check against the "access computer from network" permissions each time a session key is requested. Is that different than you have found? I know that a "deny access" works instantly, but you would then have to take an extra step there... This worked in my config, anyway. Of course, if they were already granted a session key for the resource, then I think you are right. You would have to force a disconnect with logon time restrictions otherwise... Then again, I wonder what would happen after the default lifetime for a user ticket expired (10 hours), and the access tokens were renewed? Hmmm. Later man! AD
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:27:06 PDT