[magusbuckley]

Hello:

Here is the setup. A Windows XP Pro machine on a Windows 2003 Domain. The computer has one domain account called "gchilders". If you log off this user and pull the network cable from the NIC on the PC, how is it that we are able to log into the machine, under the domain, as some other user (bbuckley) who previously didn't have a domain account on the machine?

It is requiring that we enter the correct password for the second account (bbuckley), but the password is used for this user on the domain. If this person (bbuckley) has never logged on to this PC, and the PC is unplugged from the network, how does the PC know that we've entered a valid password?

Are all network passwords for the domain stored on each individual workstation?

This question comes to us because a guy from IT accidentaly handed out a laptop to one of our users before wiping the drive. We were trying to figure out if she would be able to log into the machine and get access to any of the old users' data.

Any and all information will be greatly appreciated.

Thanks,

Magus

[Advertisements]

Don't forget that Windows will have local accounts available as well which don't require the use of a domain server. Therefore if the same account name exists on the local machine, Windows will use that.

[Neil Jones]

Don't forget that Windows will have local accounts available as well which don't require the use of a domain server. Therefore if the same account name exists on the local machine, Windows will use that.

[dsenette]

when y ou log on to a PC on a domain...the PC will create a local profile so the user can log on "offline" etc...the user's password is stored in the SAM database locally (which is why it knows the PW is as correct as possible)

if the user you gave the LT to has the right tools...and the previous user saved files locally...then yeah...they'll be able to get to them

[magusbuckley]

Neil Jones: There were no other accounts on the local machine.

dsenette: No other users had logged into this machine so local accounts wouldn't have been created.

Here's what actually happened.

Casino Environment.....

When our General Manager retired a month ago, we replaced his laptop with a new IBM T60 (he took the new laptop home as part of a retirement farewell). We were keeping the old laptop locked away in storage in case the new General Manger needed any of the data from the drives. The user account for retired GM was "pmurphy". On the laptop in storage then, we had two accounts - pmurphy.btbil (domain account) and pmurphy (local account). Another director, from the Slot Department, user bwaltman, said he needed a laptop with a DVD Player in it because Surveillance had some videos he needed to watch. He planned to review the videos while in flight for a business trip. A guy from our IT department said here, take this one, and handed out pmurphy's laptop!!! When we realized what had happened, we started trying to figure out if any of the data could be accessed.

For testing, we used my regular PC. There is only two accounts on this machine, my own bbuckley.btibl domain account and bbuckley local account. I'm in IT and no one ever uses my computer but me. I pulled the network cable from the back of my computer and tried logging in with the slot director's user account (bwaltman). Surprisingly it told me the password was incorrect. I didn't put one in because I didn't figure it could possibly know what bwatlman's password was. I looked his password up, keyed it in, and bango...I was loggedin as bwaltman. Then, even scarier, I was able to navigate to and open C:\Documents and Settings\bbuckley\My Documents etc.

Just trying to figure out how the computer, while not on the network, new what bwaltman's password should have been?

What do you think of this?

Any and all information will be greatly appreciated.

Oh, but we did get the laptop back. Now I'm just trying to understand it because I'm curious that way and want to learn more.

Thanks,

Magus

[w0lverine]

Hi, i am also in IT, i deal with just what you are talking about.

When you accessed his account using your computer, you created a local profile on your computer. Now there will not be anything in my documents in the created profile, because it is brand new.

Now you are saying that you were not connected to the network? That is somewhat strange that you would be able to access a domain account from a non-connected computer, i shall have to check that out myself. It is possible that the domain account info could have been backlogged on your machine? Just speculating.

[w0lverine]

one thing i think it might be, is once you connect to the domain (ie: root.tacoman.com for example) it could create a log of the domain users say, in the registry, that can be accessed with or without a physical connection to the domain.

[magusbuckley]

Wolverine:

Thanks for the information. If you do any testing, I'd love to hear about it. I can only assume you'll get the same results we got here.

Magus