Disabling computer in active directory is still allowing domain account to login?

windows active-directory windows-7 domain
12,410

When you disable a computer in Active Directory, you're basically disabling the computer account. I suspect that the computer is passing authentication requests to a domain controller other than the one you disabled it on, and that information hasn't replicated yet.

It's also possible that you have some kind of larger replication problem in Active Directory itself, but it's hard to say based on the information in your post.

Edit: Ryan's suggestion to disable cached credentials. This is an option in group policy:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Interactive logon: Number of previous logons to cache.

enter image description here

(You might have to reboot or gpupdate /force to get that to take effect.)

Share:
12,410

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    If I disable a computer account in AD, am I not supposed to be able to login to the domain using this computer?

    I tested this, I have a computer joined to the domain (Windows 10), I disabled the computer account and I rebooted the client machine and then I attempted to login to the computer with a domain user account, it worked.

    My thinking is, I shouldn't be allowed to login using the disabled computer even if I am logging in with valid user credentials because the computer account is disabled.

    I can understand if the computer was not on the network, it wouldn't be able to contact the AD for updated information and as such I would still be able to login as a domain user because of cached credentials, etc.

    I tried rebooting the computer, resetting the computer account, disabling/enabling it, etc.. somehow I am still able to login to the domain using this computer!!

    What I want is if the computer account is disabled that NO ONE can login using that computer to the domain.

    The idea is, I want to clean up our Active Directory computers by disabling those that have a LastLogin date older than 90 days.. with some assurance that if I do this and those disabled computers were plugged back into the network that they cannot login even if you are trying to login with valid domain user credentials because the actual computer account is disabled.

    • Katherine Villyard
      Katherine Villyard over 8 years
      How long did you wait between disabling the computer and trying to log in?
    • Admin
      Admin over 8 years
      Initially I tried after a few minutes, then after 20 minutes again and no go.
    • Ryan Ries
      Ryan Ries over 8 years
      Disable cached credentials, reboot the computer and see if that changes the result.
    • Admin
      Admin over 8 years
      Hey Ryan, how do we disable cached credentials? Not sure what you mean.
    • Minkus
      Minkus about 4 years
      Hi, it's a Group Policy setting - see answer below or itprotoday.com/security/domain-credential-caching
  • Admin
    Admin over 8 years
    Our replication is healthy, we are a small shop with 3 DC servers (2 local and 1 remote), the disabled status shows on all 3. I suspect some kind of caching is in place but I am not sure how to verify.
  • Katherine Villyard
    Katherine Villyard over 8 years
    I think Ryan is right that it's cached credentials. I've updated the answer to reflect that.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I find out which user groups my domain user belongs to?
New 2012 Domain Controller and error “The security database on the server does not have a computer account for this workstation trust relationship”
How to display all accessible domains on Windows 7?
Folder Redirection GPO setting desktop but not showing it
How to explore the local active directory?
Fast User Switch Compatibility service missing in windows 7 prof. (domain member)
logging into domain - windows active directory - how it works
Installing software using local account Vs Active Directory login
Difference between http://connect and manually joining domain?
MSG.EXE User on Domain (User disconnected or doesn't exist)