Click here to get back home

PCs still function on domain with computer account disabled
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
PCs still function on domain with computer account disabled Phil McNeill 06-14-2006
Get Chitika Premium
Posted by Steven L Umbach on June 16, 2006, 12:53 pm
Please log in for more thread options
 I suppose it is possible that AD did not replicate that the computer account
was disabled to all domain controllers but I would think that problem would
make itself aware to you in a three month time period and the support tools
dcdiag and replmon could verify replication problems as would errors in the
logs of the domain controllers. You might find helpful information in the
logs of the client computer like type 11 cached logons and also searching
the security logs of the domain controllers for the computer names to see if
any computer account logon failures or other helpful information have been
recorded in that time period of course a lot depends on the size of the
security logs on your domain controllers as to how far back they have
information. You can use the free Event Comb from Microsoft to search the
security logs of the domain controllers and enter text strings in the
searches such as for the computer name though I would also search for the
computer name with $ after it which you often will see in the security logs
indicating that the account is a computer account. The other thing I would
verify is that someone else had not fixed the computer account issue after
you had disabled it and not assume it still was disabled when you deleted
the computer accounts. --- Steve




>
>> Possibly these were computer that were logging on with cached credentials
>> which could be users with laptops that had not been connected to the
>> domain for a couple of months. If these are computers that users logon to
>> the domain every day/week that would be curious but I would still check
>> the security logs on those computers to see if they show that the user
>> has been logged on with cached credentials for some reason though the
>> user would have very limited access in the domain unless he was
>> authenticating to servers using a local account on the server instead of
>> a doman ccount. --- Steve
>
> Hey Steve,
>
> For one of the now 5 cases this was definitely the case. We have roaming
> users that log in with cached credentials, and then establish a VPN
> connection to the company. It's possible there are a few more of them
> that are still going to be issues for us.
>
> The other 4 identified cases were all desktops with permanent connections
> to the LAN however. I'm going to do a little more digging and see what I
> can figure out.
>
> Thanks
>



Posted by Phil McNeill on June 16, 2006, 2:13 pm
Please log in for more thread options
>I suppose it is possible that AD did not replicate that the computer
>account was disabled to all domain controllers but I would think that
>problem would make itself aware to you in a three month time period and the
>support tools dcdiag and replmon could verify replication problems as would
>errors in the logs of the domain controllers. You might find helpful
>information in the logs of the client computer like type 11 cached logons
>and also searching the security logs of the domain controllers for the
>computer names to see if any computer account logon failures or other
>helpful information have been recorded in that time period of course a lot
>depends on the size of the security logs on your domain controllers as to
>how far back they have information. You can use the free Event Comb from
>Microsoft to search the security logs of the domain controllers and enter
>text strings in the searches such as for the computer name though I would
>also search for the computer name with $ after it which you often will see
>in the security logs indicating that the account is a computer account. The
>other thing I would verify is that someone else had not fixed the computer
>account issue after you had disabled it and not assume it still was
>disabled when you deleted the computer accounts. --- Steve

After further investigation, as per usual, this is turning out to be a user
problem (i.e. ME). Using ldp.exe I have looked at the properties of the 4
accounts we've had issues with, and they differ from the other 300+ accounts
I deleted in one way; they weren't disabled when I deleted them.

Account that didn't have a problem:

1> userAccountControl: 0x1002 = ( UF_ACCOUNTDISABLE |
UF_WORKSTATION_TRUST_ACCOUNT );

Account that did have a problem:

1> userAccountControl: 0x1000 = ( UF_WORKSTATION_TRUST_ACCOUNT );

I got the names of the 4 PCs in question from the Helpdesk agents and
noticed they were consecutive alphabetically, which seemed even less likely
than the rest of the scenario, so I got to wondering if perhaps as I
manually deleted a bunch around them I used my SHIFT key when I should have
been using my Ctrl key. That's my best guess. My bad (my "DOH!" of the
week), and that beats the hell out of the alternative that it was some kind
of bizarre AD issue.

Thanks for helping me out both Joe and Steve. Another mystery solved.



Posted by Steven L Umbach on June 16, 2006, 3:00 pm
Please log in for more thread options
Heh Heh. Glad you sorted it out and thanks for reporting back what you
found. Good thing you didn't delete a whole bunch of accounts though an
authoritative restore of AD for that container would have fixed the
roblem. --- Steve


>
>>I suppose it is possible that AD did not replicate that the computer
>>account was disabled to all domain controllers but I would think that
>>problem would make itself aware to you in a three month time period and
>>the support tools dcdiag and replmon could verify replication problems as
>>would errors in the logs of the domain controllers. You might find helpful
>>information in the logs of the client computer like type 11 cached logons
>>and also searching the security logs of the domain controllers for the
>>computer names to see if any computer account logon failures or other
>>helpful information have been recorded in that time period of course a lot
>>depends on the size of the security logs on your domain controllers as to
>>how far back they have information. You can use the free Event Comb from
>>Microsoft to search the security logs of the domain controllers and enter
>>text strings in the searches such as for the computer name though I would
>>also search for the computer name with $ after it which you often will see
>>in the security logs indicating that the account is a computer account.
>>The other thing I would verify is that someone else had not fixed the
>>computer account issue after you had disabled it and not assume it still
>>was disabled when you deleted the computer accounts. --- Steve
>
> After further investigation, as per usual, this is turning out to be a
> user problem (i.e. ME). Using ldp.exe I have looked at the properties of
> the 4 accounts we've had issues with, and they differ from the other 300+
> accounts I deleted in one way; they weren't disabled when I deleted them.
>
> Account that didn't have a problem:
>
> 1> userAccountControl: 0x1002 = ( UF_ACCOUNTDISABLE |
> UF_WORKSTATION_TRUST_ACCOUNT );
>
> Account that did have a problem:
>
> 1> userAccountControl: 0x1000 = ( UF_WORKSTATION_TRUST_ACCOUNT );
>
> I got the names of the 4 PCs in question from the Helpdesk agents and
> noticed they were consecutive alphabetically, which seemed even less
> likely than the rest of the scenario, so I got to wondering if perhaps as
> I manually deleted a bunch around them I used my SHIFT key when I should
> have been using my Ctrl key. That's my best guess. My bad (my "DOH!" of
> the week), and that beats the hell out of the alternative that it was some
> kind of bizarre AD issue.
>
> Thanks for helping me out both Joe and Steve. Another mystery solved.
>



Posted by Phil McNeill on June 16, 2006, 3:18 pm
Please log in for more thread options

> Heh Heh. Glad you sorted it out and thanks for reporting back what you
> found. Good thing you didn't delete a whole bunch of accounts though an
> authoritative restore of AD for that container would have fixed the
> roblem. --- Steve


Ya, I wasn't too excited about going down that road after reading the
article that described the process. Thought I was being fairly careful, but
obviously not as careful as I should have been. Anyway, learned a ton as I
usually do when I screw something up. Just don't want to learn too much too
fast. :)

Thanks again!

Phil



Similar ThreadsPosted
Disabled Domain Computer Accounts September 20, 2006, 4:09 pm
Problem with Domain Computer account December 18, 2006, 2:46 pm
Domain Function Level Change. January 2, 2008, 1:12 pm
Administrator account disabled but still get "incorrect password" errors in Event log May 4, 2008, 2:11 pm
Administrator account disabled but still get "incorrect password" errors in Event log May 4, 2008, 2:12 pm
badPasswordTime for computer account April 5, 2006, 12:39 pm
DOMAINSEND computer account August 10, 2007, 12:37 pm
Computer Account Password November 6, 2007, 5:30 am
domain access control for local user of domain computer? April 3, 2008, 5:14 pm
Adding Computer account to folder security March 20, 2006, 9:19 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap