What is a disabled windows account exactly?
While tinkering with windows account (locally, not in a domain) I stumbled onto something I don't understand
I created a local windows session (let's call it Joe), this session has admin rights
Then, with my real admin session (call it Bob) I created a scheduled task that executes 5sec after logon with the highest privileges using Joe's credentials, this task executes net user Joe /active:no
This result in a "one time use" session that will disable itself after logon and can only be re-enabled by Bob
Now if I log in to Joe's session, I will have admin rights, for example I can start PowerShell as admin, and it will work, but why? How can the account still have the right to start something as admin if it is disabled? I'll even ask: why can it start anything at all?
Does the "disabled" state only take effect after all the sessions are closed?
Why would it not be able to start programs? Starting a process does not require a new login. In the most basic case, it simply inherits the access token of the parent process and that's it. The access token is self-contained.
Why can an admin process start? Because the user session with admin rights also already exists. With UAC, both the "regular" and admin access tokens are created when the user is logged in.
The disabled state only comes into play when signing in. IIRC this also applies to lock screens.
For most operations, the security authority (local account database or Active Directory or the like) is not consulted at all, because this would critically harm performance with domain-joined machines. The security-critical data structures reside in protected memory and cannot be altered, so the operating system can trust them.