Click here to get back home

Computer Passwords
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Computer Passwords Mike 09-14-2006
---> Re: Computer Passwords karl levinson, ...09-14-2006
Posted by Mike on September 14, 2006, 9:32 am
Please log in for more thread options
 We use Symantec Ghost to image machines. When I restore an computer image
who's account password has changed (since the image was taken) (i.e the
image has an old computer account password) the domain lets the account log
on once. If they log off and attempt to log on again they are challenged
with your computer account is disabled.. etc.

How do I prevent them logging on even once? Shouldn't AD know if you're
attempting to log on using a machines who's computer account password is
incorrect? i.e doesn't it defeat the whole purpose of having computer
accounts (since they can log on even if the computer account password is
incorrect). I'm using a Win2K model. Computer account password are set to
the default of 30 day rotation. Security model is Send Lm & NTLM - Use NTLM2
if negotiated




Posted by karl levinson, mvp on September 14, 2006, 1:00 pm
Please log in for more thread options
> We use Symantec Ghost to image machines. When I restore an computer image
> who's account password has changed (since the image was taken) (i.e the
> image has an old computer account password) the domain lets the account
> log on once. If they log off and attempt to log on again they are
> challenged with your computer account is disabled.. etc.
>
> How do I prevent them logging on even once? Shouldn't AD know if you're
> attempting to log on using a machines who's computer account password is
> incorrect? i.e doesn't it defeat the whole purpose of having computer
> accounts (since they can log on even if the computer account password is
> incorrect). I'm using a Win2K model. Computer account password are set to
> the default of 30 day rotation. Security model is Send Lm & NTLM - Use
> NTLM2 if negotiated

Try deleting the computer account entirely? Or disabling the account?

I think that machines can still log in without a domain account, to allow
for Windows 98 systems that do not use or get machine accounts, systems that
are using remote access, etc. Possibly switching the domain to "native
mode" might help?

Is this a significant problem? Don't you have to generally trust your PC
installers with local admin privileges and domain admin privileges if new
computer accounts are to be created via joining the workstation to the
domain? And don't you still need a valid user account to log into the
domain?

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info



Posted by Mike on September 14, 2006, 8:25 pm
Please log in for more thread options
These people aren't PC installers... They are generally marketing employees
who need a clean slate to test their software. They might do maybe 10
restores a day? I never know which PC they ghost hence I cant delete the
account. I'm not worried about any malicious intent of these people.

It simply doesn't make sense that using imagining software you can defeat
the whole purpose of having a computer account password... haha






>
>> We use Symantec Ghost to image machines. When I restore an computer image
>> who's account password has changed (since the image was taken) (i.e the
>> image has an old computer account password) the domain lets the account
>> log on once. If they log off and attempt to log on again they are
>> challenged with your computer account is disabled.. etc.
>>
>> How do I prevent them logging on even once? Shouldn't AD know if you're
>> attempting to log on using a machines who's computer account password is
>> incorrect? i.e doesn't it defeat the whole purpose of having computer
>> accounts (since they can log on even if the computer account password is
>> incorrect). I'm using a Win2K model. Computer account password are set to
>> the default of 30 day rotation. Security model is Send Lm & NTLM - Use
>> NTLM2 if negotiated
>
> Try deleting the computer account entirely? Or disabling the account?
>
> I think that machines can still log in without a domain account, to allow
> for Windows 98 systems that do not use or get machine accounts, systems
> that are using remote access, etc. Possibly switching the domain to
> "native mode" might help?
>
> Is this a significant problem? Don't you have to generally trust your PC
> installers with local admin privileges and domain admin privileges if new
> computer accounts are to be created via joining the workstation to the
> domain? And don't you still need a valid user account to log into the
> domain?
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info
>
>



Posted by karl levinson, mvp on September 14, 2006, 8:59 pm
Please log in for more thread options

> These people aren't PC installers... They are generally marketing
> employees who need a clean slate to test their software. They might do
> maybe 10 restores a day? I never know which PC they ghost hence I cant
> delete the account. I'm not worried about any malicious intent of these
> people.
>
> It simply doesn't make sense that using imagining software you can defeat
> the whole purpose of having a computer account password... haha

Well, it sort of does, if you consider that domains have to allow for
non-Windows clients who don't understand the concept of a Windows machine
account... and if you consider that you can secure this, you'd just prefer
not to do so. Like any other software, Windows can be configured to be open
and insecure, depending.

I don't understand why you can't remove the machine account. Removing the
account means they would have to call a domain admin to join the domain.
But don't they already have to do that today anyways, after they reboot?

Do these people need their test machines to be on the production network?
It seems to me in an ideal world, test machines wouldn't be on the
production network but a test lab, or not in the domain.

I think there are some possible solutions.



Posted by karl levinson, mvp on September 15, 2006, 7:01 am
Please log in for more thread options


> I don't understand why you can't remove the machine account.

Oh, OK, I understand now.



Similar ThreadsPosted
Can a Computer (so everyone who logs on on that computer) have access rights? January 12, 2006, 6:50 am
strong passwords October 6, 2005, 11:02 am
Exporting Passwords January 15, 2006, 3:20 pm
Question on passwords June 9, 2006, 3:07 pm
Can I have two passwords for one user? June 6, 2007, 7:50 pm
RE: Lost passwords November 2, 2007, 2:31 pm
Audit AD passwords December 4, 2007, 9:53 am
Safe Keeping passwords July 6, 2005, 9:53 pm
Local caching of passwords July 29, 2005, 12:14 pm
Service Account Passwords November 29, 2005, 12:32 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap