Confirming that access is denied after expiration

After a zone-based role assignment expires, the role assignment is no longer valid on the computer where the role was assigned, and the requester can no longer use that role on that computer.

By default, expired zone-based role assignments are removed from Active Directory every six hours, so the expired role assignment might still be listed for up to six hours after it has expired, even though it cannot be used after expiration.

Use the Resources > Domains > Advanced page as described in Setting domain-specific advanced options to view and change the interval at which expired role assignments are removed from Active Directory.