Tim Stevens
08-06-2002, 09:54 AM
I have a need to keep disconnected Terminal sessions open for a long time; potentially weeks or months.
All users log in to the sessions using an Active Directory account. Their password needs changing every month.
It seems that Terminal server re-authenticates the disconnected user periodically; about once every 20 minutes! This means that once the password has been changed, an hour later it has failed authentication on the terminal server 3 times, and hence the account is locked. This prevents users accessing e-mail, their own workstations etc. But interestingly, it doesn't end the disconnected session!
***********
Is their a registry hack that stops w2k terminal server re-authenticating disconnected sessions? This would overcome the problem. Users still need to authenticate when they re-connect, and if their password has been changed the new one would be needed in any case.
************
I must admit, I think it is a design flaw in Terminal Server that it re-authenticates using a cached password. Using the SID would be better. If that has been locked, then end the session!
All users log in to the sessions using an Active Directory account. Their password needs changing every month.
It seems that Terminal server re-authenticates the disconnected user periodically; about once every 20 minutes! This means that once the password has been changed, an hour later it has failed authentication on the terminal server 3 times, and hence the account is locked. This prevents users accessing e-mail, their own workstations etc. But interestingly, it doesn't end the disconnected session!
***********
Is their a registry hack that stops w2k terminal server re-authenticating disconnected sessions? This would overcome the problem. Users still need to authenticate when they re-connect, and if their password has been changed the new one would be needed in any case.
************
I must admit, I think it is a design flaw in Terminal Server that it re-authenticates using a cached password. Using the SID would be better. If that has been locked, then end the session!