Windows – Disabling computer in active directory is still allowing domain account to login

active-directorydomainwindowswindows 7

If I disable a computer account in AD, am I not supposed to be able to login to the domain using this computer?

I tested this, I have a computer joined to the domain (Windows 10), I disabled the computer account and I rebooted the client machine and then I attempted to login to the computer with a domain user account, it worked.

My thinking is, I shouldn't be allowed to login using the disabled computer even if I am logging in with valid user credentials because the computer account is disabled.

I can understand if the computer was not on the network, it wouldn't be able to contact the AD for updated information and as such I would still be able to login as a domain user because of cached credentials, etc.

I tried rebooting the computer, resetting the computer account, disabling/enabling it, etc.. somehow I am still able to login to the domain using this computer!!

What I want is if the computer account is disabled that NO ONE can login using that computer to the domain.

The idea is, I want to clean up our Active Directory computers by disabling those that have a LastLogin date older than 90 days.. with some assurance that if I do this and those disabled computers were plugged back into the network that they cannot login even if you are trying to login with valid domain user credentials because the actual computer account is disabled.

Best Answer

When you disable a computer in Active Directory, you're basically disabling the computer account. I suspect that the computer is passing authentication requests to a domain controller other than the one you disabled it on, and that information hasn't replicated yet.

It's also possible that you have some kind of larger replication problem in Active Directory itself, but it's hard to say based on the information in your post.

Edit: Ryan's suggestion to disable cached credentials. This is an option in group policy:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Interactive logon: Number of previous logons to cache.

(You might have to reboot or gpupdate /force to get that to take effect.)

Related Solutions

Windows – Runas Domain Account Still Asks for Password

Do you have the "Automatic logon using current username and password" option enabled in IE?

Internet Options | Security Tab
Click Local Intranet Zone and then the Custom Level button
In Security Settings under Logon, make sure the option is selected

When is a domain computer account scheduled to change the password

It is possible to query the domain for this, the script below will tell you when a particular machine's domain password was last reset.

'Replace "yourdom.com" with your domain name.
DomainName = "yourdom.com"

querymachine = UCase(inputbox("Enter full machine name"))
lngBias = 2

'****************Setup Log file******************************************************

Set fso = CreateObject("Scripting.FileSystemObject")
'The 8 in this line will append to an existing file, replace with a 2 to override
set txtStream = fso.OpenTextFile("System.txt", 8, True)
txtStream.WriteLine "Ran on " & Date & " *******************************"

'****************Setup ADSI connection and populate ADSI Collection******************

Set objADOconnADSI = CreateObject("ADODB.Connection")
objADOconnADSI.Open "Provider=ADsDSOObject;"
Set objCommandADSI = CreateObject("ADODB.Command")
objCommandADSI.ActiveConnection = objADOconnADSI
'there is a 1000 object default if these next 2 lines are omited.
objCommandADSI.Properties("Size Limit")= 100000
objCommandADSI.Properties("Page Size")= 100000
objCommandADSI.Properties("Sort on") = "sAMAccountName"
objCommandADSI.CommandText = "<LDAP://" & DomainName & ">;(objectClass=computer);sAMAccountName,pwdLastSet,name,distinguishedname,operatingSystem;subtree"
Set objRSADSI = objCommandADSI.Execute

'Loop through record set and compare machine name*************************************

do while NOT objRSADSI.EOF
    if not isnull(objRSADSI.Fields("distinguishedname")) and objRSADSI.Fields("distinguishedname") <> "" then
    objDate = objRSADSI.Fields("PwdLastSet")
    'Go to function to make sense of the PwdLastSet value from AD for the machine account.
    dtmPwdLastSet = Integer8Date(objDate, lngBias)
    'calculate the current age of the password.
    DiffADate = DateDiff("d", dtmPwdLastSet, Now)

    'Is the machine the one we're looking for?
        if UCase(objRSADSI.Fields("name")) = querymachine then
        txtStream.WriteLine objRSADSI.Fields("name") & ";" & dtmPwdLastSet & ";" & DiffADate & ";" & objRSADSI.Fields("operatingSystem") 
        wscript.echo objRSADSI.Fields("name") & ", Last set: " & dtmPwdLastSet & ", Days since last change: " & DiffADate
        end if
    end if
objRSADSI.MoveNext
loop
wscript.echo "Done!"



Function Integer8Date(objDate, lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objdate.LowPart
' Account for bug in IADslargeInteger property methods.
If lngLow < 0 Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
Integer8Date = CDate(lngDate)
End Function

(I'd love to give credit for the above script but it's been handed around from person to person and modified in various ways, I have no idea where it originally came from)

Save this as something like MachinePasswordDate.vbs, doubleclicking the file in Windows should pop up a box you can put a machine name into, which should then query the domain and tell you when that machine's password was last changed.

If you're regularly restoring virtual machine snapshots it might be worth having a look at the security policies on those machines before you save off an image. You can change the machine password reset interval up to 999 days quite easily, assuming your domain GPOs won't override it, and your security policy allows this sort of thing:

Click Start, click Run, type Gpedit.msc, and then press ENTER.

Expand Local Computer Policy, Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.

Configure the following settings:

Domain Member: Disable machine account password changes (Enabled)
Domain Member: Maximum machine account password age (999 days)
Domain Controller: Refuse machine account password changes (Enabled)

Best Answer

Related Solutions

Windows – Runas Domain Account Still Asks for Password

When is a domain computer account scheduled to change the password

Related Topic