locked
Domain Admin account entered at elevated privelage prompt authenticates with expired password. RRS feed

  • Question

  • A user brought an issue to my attention and I was hoping to get some clarification on it.

    On our Server 2008 R2 domain, a user with a domain admin account with an expired password is able to pass authentication while running elevated commands on remote servers.

    He logs onto the remote server first with a separate service account. Then, while logged on with the service account, attempts to run a service as an administrator.  He enters his domain admin account **which has an expired password** and passes authentication.

    Does anyone have an explanation as to why this is possible?  Is this a normal function on windows servers?

    I would expect a user with an expired password would need to change their password before being able to pass authentication at a UAC prompt.

    Thanks!

    Thursday, August 27, 2015 2:46 PM

Answers

  • Hi,

    I didn't find any official document about this. But I tested in my lab and got the same result with you.

    Logon and runas command will not work. But the UAC still accepts the credential.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Steven_Lee0510 Thursday, September 10, 2015 3:18 AM
    • Marked as answer by Steven_Lee0510 Thursday, September 10, 2015 9:39 AM
    Tuesday, September 1, 2015 5:34 AM

All replies

  • Hi,

    I didn't find any official document about this. But I tested in my lab and got the same result with you.

    Logon and runas command will not work. But the UAC still accepts the credential.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Steven_Lee0510 Thursday, September 10, 2015 3:18 AM
    • Marked as answer by Steven_Lee0510 Thursday, September 10, 2015 9:39 AM
    Tuesday, September 1, 2015 5:34 AM
  • I will see if I can replicate this in a lab, however it seems that the old credentials have been cached on the server. Try running the following command and having a look at what has been stored: 

    rundll32.exe keymgr.dll,KRShowKeyMgr

    Also, if you disable that account, do you have the same result?

    Good luck!

    Sunday, September 6, 2015 11:33 AM
  • Hi,

    >> however it seems that the old credentials have been cached on the server.

    When I tested it in my lab, I have rebooted the client to clear the cache. But still get the same result.

    >>Also, if you disable that account, do you have the same result?

    No, if I disable the account, the authentication will fail.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, September 10, 2015 3:18 AM