Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Computer Account question. 1

Status
Not open for further replies.
TheMisio

TheMisio

Technical User
Sep 26, 2005
229
BE
Dear Techies,

I thought I know a lot about AD, however, I came across a situation that left me bedazzled. A workstation (member of our domain) had its account deleted from AD. Not a big deal, happened million times.
However, a user using that workstation was still able to log on to the domain. The workstation still though it was a member of the domain, as it wasn’t removed from it. Only the computer account was deleted.

Now my problem is with understanding the concept of a computer account in the domain. How can a workstation allow user to log on with a user domain account, if the computer account no longer exists? I can see an event in the System log on a DC stating that the session from a computer failed to authenticate. Access is denied.

But the user still logged on to the domain, run all scripts etc. Why? What is the purpose of a computer account then? I can’t find a definitive answer anywhere.

Cheers for any enlightenment.
 
Sort by date Sort by votes
Does the user get:
A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.
If so read:

Otherwise, how many domain controllers do you have in your environment? The deleted computer account may not have replicated to all domain controllers and therefore the computer account would still be valid and the user would still be able to log on.

A Computer Account is an account that is used to authenticate a client machine (rather than a user) to the domain controller server. The purpose of the computer account is to prevent a rogue user and domain controller from colluding to gain access to a domain member workstation.

The password of a Computer Account acts as the shared secret for secure communication with the domain controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain, participating in domain security operations, and gaining access to domain user/group accounts. Windows 200x/XP/Vista/Win7 clients use machine trust accounts.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.
 
Upvote 0 Downvote
TechyMcSe2k,

You are right! It was the replication. I have one DC with 3 hour replication latency (just in case someone does something stupid).

I got my sanity back.

Cheers.

Michael.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
365
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
135
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
328
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
267
DrB0b
DrB0b
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
331
fredmartinmaine
fredmartinmaine

Part and Inventory Search

Sponsor

Back
Top