Group policy preferences using specific impersonating user account


  • Hi, I have an issue where I see my user getting logged in on many computers in our environment during login. Tracking it down I discovered following things:

    • My user gets logged in to a file server shortly after user login by process ID 4 (kernel)
    • It access some files with the system account (impersonated as my user login) which are copied with group policy preferences from the file server to the local computer
    • This only happens with computers with a new image (created with SCCM)
    • All group policies are created with my user, can't think of any other link to my account

    It's really a mystery to me why it's using my account as impersonation account to access these files. Does anyone has an insight on how this can be linked with group policy preferences?

    • Edited by DS_Kevin Monday, February 15, 2016 9:13 AM
    Monday, February 15, 2016 9:12 AM

All replies

  • I don't quite understand the scenario, how did you monitor this?

    Any service account configured/used in your environment? Check if you have configured this policy:

    "Impersonate a client after authentication"  in the Local Security Policy under Local Policies -> User Rights Assignment

    Tuesday, February 16, 2016 7:27 AM
  • We're doing a POC for new firewalls in our environment. These firewalls have a DC agent to track user logins. I noticed the same admin account showing up as login on many different ip's so I started investigating this. The results come from a combination of testing with event logs and procmon on the fileserver to track down which files it tries to open with impersonation.

    The policy you mention isn't in any GPO for the domain or domain controllers. In the local policies on these clients I guess it's default (local service, network service, administrators, service).

    Already scanned the registry a few times on these clients with the login name they impersonate, it's SID, it's SID in hexadecimal value,... but can't find anything.

    Tuesday, February 16, 2016 8:30 AM
  • Sounds odd. Does this only happen with a specific user account?

    Maybe check the GP result and see if anything relevant?

    Wednesday, February 17, 2016 9:16 AM
  • It's happening with every user on every machine deployed with the image. Image was not in domain before it was sysprepped although it might have been using the impersonation account to access a software share on a fileserver. gpresult shows nothing relevant.
    Wednesday, February 17, 2016 9:28 AM
  • So it definitely has something to do with the image you've used. You've mentioned above that scanned the registry a few times. I'm kinda out of idea on troubleshooting this.

    How many computers are affected by this? Possible to re-create these faulty ones?

    Thursday, February 18, 2016 8:13 AM
  • I can (and will) create new images but until I fully understand what's going on I can't prevent it from happening again.
    Thursday, February 18, 2016 2:03 PM
  • Understand. I will also search this further later tonight, will get back if there is anything new.

    Friday, February 19, 2016 8:41 AM