locked
Disabling computer account in Active Directory will still allows the workstation to login RRS feed

  • Question

  • I have a special scenario. A Widows 7 workstation was in lock mode (waiting for CTRL+ALT+DEL). As an administrator, I disabled the computer account, user account and even reset the password for that user and the workstation. My requirement is that the user can not login to the workstation again.

    However, the user able to login to the workstation.

    What AD registry parameter could lock down the computer completely? or is there any parameter in GPO that could lock down the computer?

    Thanks in advance.

    Pingala


    SP


    • Edited by Apastambha Saturday, April 25, 2015 5:15 PM
    Saturday, April 25, 2015 5:14 PM

Answers

  • All, I found the way to solve the problem. AD GPO is the place to control the workstation. I reduced number of logon to zero. Here is the procedure at AD:

    Logon to Domain Controller with Admin privileges. From the Server Manager Dashboard

    Tools à Group Policy Management à (under domains, select the domain where the computers are to be controlled) à Group Policy Objects à Default Domain Policy à Settings (in right pane) à Policies à Windows Settings à Security Settings à Local Policies à Security Options à Interactive logon: Number of previous logons to cache set to zero 

    And, lastly from the command line, do gpupdate /force

    This will lockdown the computers when disabled at AD.

    Thanks everyone.


    SP

    • Marked as answer by Karen Hu Monday, May 11, 2015 9:43 AM
    • Unmarked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    • Marked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    • Unmarked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    • Marked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    Friday, May 8, 2015 10:12 AM

All replies

  • Dear,

    how many domain controllers  do u have? computer account is in any branch location?

    thanks

    syea

    Saturday, April 25, 2015 6:38 PM
  • Just one Domain Controller. Computer account is in only in this domain. Actually, I simulated the issue with one DC and one workstation. 

    SP

    Sunday, April 26, 2015 12:14 PM
  • Looks like you are working with cached account. Do not cache user credentials.

    M.

    Sunday, April 26, 2015 2:39 PM
  • Hi,

    As Milos said, once the computer account is disabled in AD, users will not be able to login to the domain from that disabled computer.

    That user are getting logged in to the computer account with their cached credentials.

    I would like to suggest you clear all cached credentials for test.

    Meanwhile, Please refer to this thread:

    https://social.technet.microsoft.com/Forums/en-US/3cf59787-a526-4526-a86d-a2c8a61317b5/user-is-able-to-logon-to-network-though-computer-account-is-disabled-or-does-not-exists?forum=winservergen


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 27, 2015 7:55 AM
  • How do i clear the cached credentials when the workstation is locked? BTW, the workstation is created fresh from scratch. Is there a way to set the workstation without caching the credentials? Is there a policy to control the cached credentials of workstation from AD?

    Here is the scenario: The user locked the computer and stepped out. In the mean time, authorities disabled the computer. When the user walked back to the computer, he /she would be able to login back and do the operations until he/she locks the computer again. I found that it won't allow to login second time.

    How do I prevent for the first time itself?

    Thanks,

    Pingala


    SP


    • Edited by Apastambha Monday, April 27, 2015 1:11 PM
    Monday, April 27, 2015 12:59 PM
  • This referenced thread is not helping. How do I clear the cached credential from a workstation that is locked? Is there a way to apply a policy from AD?

    SP

    Tuesday, April 28, 2015 2:24 PM
  • Hi,

    As just what I said in the previous reply, it might use the cache credential.

    How do i clear the cached credentials when the workstation is locked?

    You still could logon the local administrator account to do this.

    Control Panel\All Control Panel Items\User Accounts\Manage your credentials

    Select the corresponding credential and click Remove.

    And then refer to this article to disable cache via CachedLogonsCount.

    https://technet.microsoft.com/en-us/magazine/2009.07.windowsconfidential.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 30, 2015 8:29 AM
  • Hello Karen,

    I am testing with the DOMAIN Account, not local account. With your instructions,

    Control Panel\All Control Panel Items\User Accounts\Manage your credentials

    Select the corresponding credential and click Remove.

    I am able to see local accounts and not the DOMAIN account locally cached.

    BTW, I am not seeing "Manage your credentials", instead, I am seeing "Manage Your Accounts" in User Accounts.

    Secondly, I am looking for a setup with AD GPO so that,  for most of the Enterprise Windows 7 workstations, I would like to apply the policy across the board - "Once a workstation is disabled by the administrator, the domain user for that workstation can not login again - especially when the workstation is in lock mode.

    The article you cited did not give any technical details that could help me to clean both local and domain credential caching.

    Please help me with the steps how I can disable the caching for local and domain credentials on the workstation to check this manually first.

    Eventually, I would like to disable a "computer" in Active Directory that should lockdown the targeted workstation for further use. Or let me know what steps are needed to lockdown a workstation immediately when a user is fired before further damage occurs to the enterprise resources.

    Thanks,

    Pingala


    SP


    • Edited by Apastambha Thursday, April 30, 2015 1:40 PM
    Thursday, April 30, 2015 1:36 PM
  • Hi,

    There must be the credential cache lead to this issue.

    Please check again:

    Control Panel\All Control Panel Items\Credential Manager\Windows Credentials

    Clear all cached credential to see if you still could be logged on.

    And then, you create a log off script to clear credential for every user account.

    Alternative, you could refer to the following guide to push the registry to limit cache:

    http://serverfault.com/questions/375036/how-can-i-clear-cached-domain-credentials

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 5, 2015 9:07 AM
  • Dear,

    Try login using the local administrator and delete your domain user profile from the workstation  than login using the domain account.  this will let you know where exactly the problem is.

    Thanks

    Syea

    Friday, May 8, 2015 6:56 AM
  • All, I found the way to solve the problem. AD GPO is the place to control the workstation. I reduced number of logon to zero. Here is the procedure at AD:

    Logon to Domain Controller with Admin privileges. From the Server Manager Dashboard

    Tools à Group Policy Management à (under domains, select the domain where the computers are to be controlled) à Group Policy Objects à Default Domain Policy à Settings (in right pane) à Policies à Windows Settings à Security Settings à Local Policies à Security Options à Interactive logon: Number of previous logons to cache set to zero 

    And, lastly from the command line, do gpupdate /force

    This will lockdown the computers when disabled at AD.

    Thanks everyone.


    SP

    • Marked as answer by Karen Hu Monday, May 11, 2015 9:43 AM
    • Unmarked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    • Marked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    • Unmarked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    • Marked as answer by Apastambha Monday, May 11, 2015 10:12 AM
    Friday, May 8, 2015 10:12 AM
  • It's wired you solved the issue like that.

    If a DC is available you cannot use cached credentials, these are used only when there's no network available.

    The workstation was up and running hence its kerberos logon token still valid. When you disable a computer in ad make sure to reboot it or you'll have to wait until the computer tries to renew the token.


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Friday, May 8, 2015 10:18 AM