Click here to get back home

PCs still function on domain with computer account disabled
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
PCs still function on domain with computer account disabled Phil McNeill 06-14-2006
Posted by Phil McNeill on June 14, 2006, 3:51 pm
Please log in for more thread options
 There is something I don't seem to understand correctly about the workings
of an Active Directory domain computer account. A few months back, I used a
free tool called OldCmp.exe to parse our AD and come back with a list of all
the computers that had not changed their network password for more than 6
months. I took the list, assuming the PCs on it no longer existed on our
network, and DISABLED all the PCs on it (roughly 300). I waited 3 months,
and nobody called to complain of any login issues, so I deleted all those
disabled accounts. That same night the Helpdesk gets a call from three of
our users indicating they are getting that "no trust relationship" error you
get when your computer account has been deleted.

So, my questions are:

1. How could a computer exist functioning fine on the domain for 9 months
without changing it's computer account password?

More importantly:

2. How could a computer function on the domain for 3 months with a disabled
computer account? I tested disabling my own before doing the rest, and I
got the "Can't log you in...trust relationship with domain...blah blah blah"
error message. Why didn't these 3 users experience that with their PCs?

We are running a mixed mode W2K3 domain with 3 W2K3SP1 DCs and 2 NT 4.0 SP6a
DCs. All three affected clients are W2K Pro SP4.

Thanks for any insights. Really scratching my head on this one.

Phil



Posted by Joe Richards [MVP] on June 14, 2006, 7:29 pm
Please log in for more thread options
 1. Computers don't have to change their password. It is a suggestion
that they do so. The domain does not enforce it.

2. That is a good question. I would have to see one functioning in that
state and I never have and I have done a lot of experimentation around
it both in the lab and in production environments with hundreds of
thousands of PCs. I would be curious as to what the network trace would
look like. The only thing I could visualize is if someone dorked with
the kerberos ticket lifetimes and cranked it way up because the disabled
account wouldn't get impacted until the machine needed to reauthenticate
or renew its ticket which usually happens every 10 hours.

In the literally thousands of instances of disabling accounts that I
knew were live but people weren't following standards (we called it
Jailing machines), in every case the machines were not working properly
the following morning.

So if you can duplicate it, let me know, I would like to do the same.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Phil McNeill wrote:
> There is something I don't seem to understand correctly about the workings
> of an Active Directory domain computer account. A few months back, I used a
> free tool called OldCmp.exe to parse our AD and come back with a list of all
> the computers that had not changed their network password for more than 6
> months. I took the list, assuming the PCs on it no longer existed on our
> network, and DISABLED all the PCs on it (roughly 300). I waited 3 months,
> and nobody called to complain of any login issues, so I deleted all those
> disabled accounts. That same night the Helpdesk gets a call from three of
> our users indicating they are getting that "no trust relationship" error you
> get when your computer account has been deleted.
>
> So, my questions are:
>
> 1. How could a computer exist functioning fine on the domain for 9 months
> without changing it's computer account password?
>
> More importantly:
>
> 2. How could a computer function on the domain for 3 months with a disabled
> computer account? I tested disabling my own before doing the rest, and I
> got the "Can't log you in...trust relationship with domain...blah blah blah"
> error message. Why didn't these 3 users experience that with their PCs?
>
> We are running a mixed mode W2K3 domain with 3 W2K3SP1 DCs and 2 NT 4.0 SP6a
> DCs. All three affected clients are W2K Pro SP4.
>
> Thanks for any insights. Really scratching my head on this one.
>
> Phil
>
>

Posted by Phil McNeill on June 16, 2006, 9:30 am
Please log in for more thread options

> 1. Computers don't have to change their password. It is a suggestion that
> they do so. The domain does not enforce it.
>
> 2. That is a good question. I would have to see one functioning in that
> state and I never have and I have done a lot of experimentation around it
> both in the lab and in production environments with hundreds of thousands
> of PCs. I would be curious as to what the network trace would look like.
> The only thing I could visualize is if someone dorked with the kerberos
> ticket lifetimes and cranked it way up because the disabled account
> wouldn't get impacted until the machine needed to reauthenticate or renew
> its ticket which usually happens every 10 hours.
>
> In the literally thousands of instances of disabling accounts that I knew
> were live but people weren't following standards (we called it Jailing
> machines), in every case the machines were not working properly the
> following morning.
>
> So if you can duplicate it, let me know, I would like to do the same.
>
> joe

Thanks much for the reply Joe, and thanks for OldCmp.exe. Great little
tool.

Not sure how I'd go about duplicating this (unless I go through the same
process again and this time verify the existence, or lack thereof, of the
machines after I disable them but before I delete them).

I had one more user call yesterday morning with the same issue (we force a
reboot every Wednesday night on all PCs as part of our patch rollout plan,
and this is the only user that called with the login problem today, so I'm
hoping that's the end of the issue). We got her to unplug her PC from the
network, log in with cached credentials, and then plug herself back into the
network as a short term workaround and will take care of getting her back on
the network early next week. I'm actually going to try the single computer
account restore detailed in http://support.microsoft.com/kb/840001/en-us to
see if I can make that work.

Any chance that a bad Ghosted image could cause this issue? Maybe a Sysprep
that didn't properly strip machine-specific info? Like you, the fact that
they weren't renewing their passwords wasn't so mystifying, but the fact
that they operated fine while disabled is just weird. Anyway, if I discover
anything else I'll let you know. Definitely weird.



Posted by Steven L Umbach on June 15, 2006, 11:45 pm
Please log in for more thread options
Possibly these were computer that were logging on with cached credentials
which could be users with laptops that had not been connected to the domain
for a couple of months. If these are computers that users logon to the
domain every day/week that would be curious but I would still check the
security logs on those computers to see if they show that the user has been
logged on with cached credentials for some reason though the user would have
very limited access in the domain unless he was authenticating to servers
using a local account on the server instead of a doman account. --- Steve


> There is something I don't seem to understand correctly about the workings
> of an Active Directory domain computer account. A few months back, I used
> a free tool called OldCmp.exe to parse our AD and come back with a list of
> all the computers that had not changed their network password for more
> than 6 months. I took the list, assuming the PCs on it no longer existed
> on our network, and DISABLED all the PCs on it (roughly 300). I waited 3
> months, and nobody called to complain of any login issues, so I deleted
> all those disabled accounts. That same night the Helpdesk gets a call
> from three of our users indicating they are getting that "no trust
> relationship" error you get when your computer account has been deleted.
>
> So, my questions are:
>
> 1. How could a computer exist functioning fine on the domain for 9 months
> without changing it's computer account password?
>
> More importantly:
>
> 2. How could a computer function on the domain for 3 months with a
> disabled computer account? I tested disabling my own before doing the
> rest, and I got the "Can't log you in...trust relationship with
> domain...blah blah blah" error message. Why didn't these 3 users
> experience that with their PCs?
>
> We are running a mixed mode W2K3 domain with 3 W2K3SP1 DCs and 2 NT 4.0
> SP6a DCs. All three affected clients are W2K Pro SP4.
>
> Thanks for any insights. Really scratching my head on this one.
>
> Phil
>



Posted by Phil McNeill on June 16, 2006, 10:05 am
Please log in for more thread options

> Possibly these were computer that were logging on with cached credentials
> which could be users with laptops that had not been connected to the
> domain for a couple of months. If these are computers that users logon to
> the domain every day/week that would be curious but I would still check
> the security logs on those computers to see if they show that the user has
> been logged on with cached credentials for some reason though the user
> would have very limited access in the domain unless he was authenticating
> to servers using a local account on the server instead of a doman
> ccount. --- Steve

Hey Steve,

For one of the now 5 cases this was definitely the case. We have roaming
users that log in with cached credentials, and then establish a VPN
connection to the company. It's possible there are a few more of them that
are still going to be issues for us.

The other 4 identified cases were all desktops with permanent connections to
the LAN however. I'm going to do a little more digging and see what I can
figure out.

Thanks



Similar ThreadsPosted
Disabled Domain Computer Accounts September 20, 2006, 4:09 pm
Problem with Domain Computer account December 18, 2006, 2:46 pm
Domain Function Level Change. January 2, 2008, 1:12 pm
Administrator account disabled but still get "incorrect password" errors in Event log May 4, 2008, 2:11 pm
Administrator account disabled but still get "incorrect password" errors in Event log May 4, 2008, 2:12 pm
badPasswordTime for computer account April 5, 2006, 12:39 pm
DOMAINSEND computer account August 10, 2007, 12:37 pm
Computer Account Password November 6, 2007, 5:30 am
domain access control for local user of domain computer? April 3, 2008, 5:14 pm
Adding Computer account to folder security March 20, 2006, 9:19 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap