none
Windows 7 looses domain, some programs and one of the local admin accounts RRS feed

  • Question

  • Hello. In on of the labs I run with dual boot Linux and windows 7, I've been experiencing this issue with 2 PCs. Today I noticed one more had this issue. They were connected to my windows domain but today, when trying to login, there is no domain connection possibility anymore  and one of the local administrators is gone too. Local Administrator password is unknown but after resetting it from a linux boot disk  I'm able to login but some of the programs have vanished while others still run.

    The Bios is boot protected, so I don't think any user could boot a CD/USB to mess with the PC.
    One thing I was thinking was if someone got root privileges in Linux and mount the Windows partition and mess with it. But even if someone got the root password, how come the administrator and student local accounts still exist?

    Windows restore points are disable, so I think that even if the machines were not shutdown properly, they would no rollback to some inconsistent state.

    Has anyone experienced something like this?
    Is this some kind of hacking?
    Thanks and best regards.
    Dave
    Friday, October 21, 2016 9:07 AM

All replies

  • Hi Dave_carvalho,

    According  to your description, the BIOS is boot protected. If so, an attacker is forced to enter a password before the BIOS launches the boot loader.

    I suppose that it still related to the system files damaged.

    Anyway glad to hear that you could use the boot disk to log on again. It 's a good choice to back up the data.


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 26, 2016 8:53 AM
    Moderator
  • Thanks for the reply.

    I couldn't spend much time fixing this, so I just dumped an image to it. You talk about damaged system files...maybe next time I can try to "sfc /scannow" to see if this fixes anything. Many of these lab computers are shutdown incorrectly, but I wonder this could cause the disappearing of an account and some deleted files.

    If anyone has some idea, please let me know.

    Regards

    Dave

    Wednesday, October 26, 2016 3:15 PM
  • I just found out and tested a well known way to hack into windows 7 without the need of any boot disk. 

    I wouldn't like to go into much details but it is very well known and involves access to a terminal when logging in.

    So now i can understand why some problems migh be missing (files erased). My only doubt is how the computer gets disjointed from the windows network, as for this a network admin password is necessary.

    Why isn't this fixed yet?? For what I've been reading this is used since, at least, 2012 ?!

    Thanks and regards.

    Dave

    Tuesday, November 8, 2016 3:53 PM
  • Why did you create local users accounts? I'm afraid that's not the best practice. Even though you lose connection to the AD you can still log in with domain user account. You have to disable local administrator account, log in at least once with domain admin account on your workstations and use it for administrative purpose.

    By the way someone can remove your HDD and can put it in in another workstation as slave. Is no big deal to steal information or delete accounts.

    Tuesday, November 8, 2016 5:35 PM
  • Thanks for the reply, but that's not so simple. When my AD is off users can't login because my domain is only used as a trust domain so users cant login to another institutional domain. 

    Nevertheless, a local account login is way much faster which is intended most of the times for simple lab use.

    Stealing information might not be a big deal in this case, as these are computer labs, but messing up with their configuration by removing stuff is. I'll try to disable the "ease of access", because for now, I can't see any other way for someone to hack these PCs.

    Thanks and regards.

    Wednesday, November 9, 2016 9:33 AM
  • Hi Dave

    Does not matter whether workstation have connection to AD server. If you login as domain user or domain admin once when you have connection to AD server, there will be created a domain user profile on workstation. If you lose connection to AD server, windows will load this profile even though your workstation is connected or not to AD server. Creation of local user account is a security breach.

    Restricting boot only from hdd in BIOS is a good thing so i don't think that you have to worry about 'ease of access', 'sticky keys' or other.

    I think that the problem is the local users account.

    Wednesday, November 9, 2016 12:56 PM
  • Hello and thanks for the reply.

    Unfortunately that scenario won't work for me, as I have hundreds of students (many from the upper domain) that will use a random PC, so it is more probable they will use a different PC every time. At this point the use of a local account is not the problem.  I found out that the "Ease of Access" presents a huge security risk (one can get a cmd prompt with elevated permissions, tested it myself). The way I disabled this was to rename the Utilman.exe file. I'll have to disabe sticky keys also...

    I guess I have a solution if this method was the one used to hack the PCs, if they were hacked at all, because the symptoms of some file removal and disjoined the domain are very strange.

    Thanks anyway.

    Regards


    Wednesday, November 9, 2016 2:07 PM
  • hmm...I've recently installed a windows 2008 server as Secondary Domain Controller (in order to take over a 2003 PDC soon). Today I ran dcdiag on it and reported som errors. I wonder if this could be causing this problem of loosing the domain...

    Curiously on another lab all is fine...

    Wednesday, November 9, 2016 5:29 PM
  • Another update..

    This is getting stranger every time.

    Hacked the Admin password, whose account was locked, and it was not used since june 2014. Checked the latest updates and they were also from june 2014. This is an image I'm using and upgrading since more or less that time. I'm not using system restore, as these are lab PCs and I just clone again if something happens, like I'm doing now, but it seems that somehow the machines are reverting to almost the initial state, after installation???

    Any ideas please?

    Thanks and regards.

    Friday, November 11, 2016 12:30 PM
  • I think I got it, and most likely it has nothing to do with hacking.

    As I wrote on my previous post, the PC reverts to a very old state. Although I've disabled the system restore functionality, it might worked once or twice and the students often don't properly shutdown. This may cause the automatic repair to revert to that state. I booted from linux and there where 2 huge files {5****} uncer System Volume Information, which is supposedly where the restores are kept.

     


    Friday, November 11, 2016 3:18 PM