Server 2003 user account is disabled - Still logs on

[JFredrick]

I have an account listed in active directory that I use only once each month. This account gives administrator level rights to the user so I keep this account disabled all month long. It is enabled for 1/2 day once a month and then disabled again. Our PDC is Windows 2003 SP1. This site is within a state prison and therefore can NOT have access to the internet. That is why our updating is so far behind.

Today, after being disabled all during November, I discovered by accident that someone was able to log onto that account even though it had been disabled for 30 days straight.

This is a serious security breach. What did I do wrong or what should I have done to keep this logon from being usable the past 30 days?

Is there a SP or a hotfix that addressed this issue that I should be using?

 

[Roadki11]

How many DC's do you have? Sounds like you have more than one and replication may not be working. If so, when you disable the account on one DC it doesnt replicate to the other and the account is still enabled on the 2nd DC. Then for whatever reason like geography or subnetting the user is authenticating off the 2nd DC. But im just speculating. Can you reproduce this?

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[JFredrick]

Yes, this is a very small local LAN. There is a secondary server with DC function. The secondary DC has always been replicating very sucessfully. If we had ever "seen" it fail we would have thought the same as you did. After discovering the issue today, we created a new user acct on the PDC and logged on to it at a network station. Then we disabled the acct and a few seconds later could not log on to it. We had a 3rd PC acting as a viewing station closeby using remote desktop to monitor what the secondary server status was as we made the various test changes. Replication was rather quick and always successful. We tried changing the password on this new test acct and then were unable to log in using the old password - all just as you would want.

Is it possible that the user acct itself somehow became "corrupted" or otherwise rendered disfunctional? This is such an unnerving behavior to disable a sensitive acct only to see that after we disabled it and changed it's password, that it could still be used successfully with the old password and even though it was disabled. We assumed that either password caching was not functioning correctly or that the user acct was now defective somehow. We eventually deleted that old original user acct that was behaving badly and created a brand-new one of the same name and placed it into a different OU. It is working well now yet the experience has left me eager to determine what went wrong - because it could obviously occur again unless I understand it and either explain it away or repair the problem.

Could it also be that the secondary server WAS behaving badly all month long and then suddenly with a new test acct it immediately goes into cooperation mode!!

What else can we look at or be aware of?

 

[Davetoo]

Might have been using cached credentials. If the WS couldn't contact the DC it would allow the logon based upon what it "remembers".

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!