Delete Profiles - Logging on with cached credentials?
(I know this is a double post, but I didn't know the proper forum to post it)
WIndows 7 SP1 & Windows 2008 R2 DC's
I have a PC joined to the domain.
I delete the user profiles from Advanced Settings and shutdown. (I verify that the profile is missing from users folder)
Prior to WIndows loading I disable all network connections.
I turn the PC back on and then I am still able to login using the deleted profile credentials.
Anyone else have this issue?
September 21st, 2011 7:47am
The cached credentials aren't stored in the users profile, they are stored in the security hive at:
hklm\security\cache ...
To readily get at this data isn't something that is valuable, so yes what you speak of can be trouble but from a physical standpoint the user shouldn't have access to the device. There are ways to require all logons to contact a DC (Shut off caching)
and prevent this. I have a couple of links I think should help you out.
How are cached credentials stored:
http://moyix.blogspot.com/2008/02/cached-domain-credentials.html
Cached Credentials and how to disable
http://technet.microsoft.com/en-us/magazine/2009.07.windowsconfidential.aspx
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2011 8:00am
Hello,
WIndows 7 SP1
I have a PC joined to the domain.
I delete the user profiles from Advanced Settings and shutdown. (I verify that the profile is missing from users folder)
That is perfectly normal. Cached credentials (which are not stored in profiles) are used to logon.
If you delete the user's profile and logon using cached credentials then another profile will be created or you will logon using a temporary profile.
Here, you can proceed by two ways:
Disable caching credentials Delete the user's account: In this is case, if he will connect to network and try to logon, a DC will refuse such logon.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
September 21st, 2011 8:07am
By default, windows allow 10 credentials to be cached locally at below registry locatio, so if you remove the system from domain cached credentials are not removed.
HKEY_LOCAL_MACHINE\SECURITY\CACHE NL$1 to NL$10
If you delete the NL$ entry the credential will never be cached, you can modify the value to 0.
You can also clear the cached credentials using below cmd in run window.
CONTROL<space>USERPASSWORDS2 or rundll32.exe keymgr.dll,KRShowKeyMgr
You can use as a script method to remove the registry or modify the NL$ value to 0.
http://www.windowsitpro.com/article/systems-management/q-how-can-i-selectively-clear-cached-credentials-from-my-windows-client-
You can use GPo to disable cached credentials.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\disabledomaincreds
Regards
Awinish Vishwakarma
MY BLOG:
awinish.wordpress.com
This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2011 9:08am
On Wed, 21 Sep 2011 11:45:25 +0000, hman4 wrote:
Seems like this is a big security issue, if an employee gets fired and can still access the PC.
How is this a security issue? You need to think through your scenario:
Let's assume for the sake of argument that the cached credentials were
stored in the user profile and that deleting the user profile also deleted
the cached credentials, which would seem to avoid some kind of security
issue in your mind. In order to delete the user profile in the first place
you'd need either network access or physical access to the computer in
question:
1. If you've got physical access to the computer, then this a non-issue as
the fired employee would not have physical access as well. You could simply
prevent the employee in question from accessing the computer.
2. If you've got network access to the computer then cached credentials
become a non-issue.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Programming is an unnatural act.
September 22nd, 2011 4:47am
On Thu, 22 Sep 2011 08:25:30 +0000, Bruce-Liu wrote:
You can run the following command to open the Stored User Names and Passwords feature. It can be used to delete stored credential easily.
?
rundll32.exe keymgr.dll, KRShowKeyMgr
Stored User Names and Passwords does not include cached domain log on
credentials.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
GIGO: A movie industry acronym referring to the numerous "Gidget Goes..."
movies, i.e. GIGO Hawaii, GIGO surfing, etc.
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2011 4:50am
1. If you've got physical access to the computer, then this a non-issue as
the fired employee would not have physical access as well. You could simply
prevent the employee in question from accessing the computer.
2. If you've got network access to the computer then cached credentials
become a non-issue.
Answers:
1.) We all know that the IT department is notified prior to when an employee is terminated. (Yeah Right). We also know that all locations and employees are notified whenever a user is terminated. Oh yeah that badge that most companies
have and use, well he forgot it at home.
2.) Some locations have a PC with a shared folder that users need read/write access to. Disconnect that PC from the network, the terminated user logs in and has the ability to change those files.
Taking it a step further the shared folder hosts an application that communicates to other network devices. Disconnect from the network, login, plug the cable back in and away we go.
September 22nd, 2011 8:37am
I would agree with Paul Adare, if your HR isn't properly managing the termination of a user then it isn't a technology problem it is a workflow issue. My department is always notified prior to termination, we are told to be ready for a call, etc...
When the employee is brought into a conference room the users pc is rebooted and the account disabled along with the Active Sync shut off. The user is then escorted from the facility. We don't want to lost the profile, since there could be valuable
company information (Although they aren't suppose to store stuff there) within the profile itself. We back this up in the event of lawsuits or other issues. I have seen employees brought back after termination. I had one guy who was terminated
twice, he was so incistant on his ideas. After the second termination he formed his own company on the ideas and is now a multi-millionaire. :-)
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 8:24am
The IT department is notified and accounts are disabled or passwords reset.
However HR needs to be concerned about privacy issues in notifying the other 3000+ employees in all locations (most are within driving distance) about terminations.
September 23rd, 2011 8:38am
Hello!
I have the same problem/observation.
Scenario: Domain with windows server 2008 r2, some laptops with XP PRO (SP3) and with Windows 7 PRO (SP1). Profiles are cached on local drives.
On XP machine when normal user login first time with domain credentials - his profile was created on disc. When I (admin) remove his local profile (via System/Advanced/Profiles/... and disconnect this laptop from network - this user can't login on this machine
again (it is OK - no cached profiles and no network to check user authentication. User see only message thats there is no logon servers).
On Win 7 machine when normal user login first time with AD credentials - his profile was also created on disc. When I remove this profile (still via System/Advanced...), reboot machine and disconnect from network - this user is still able to log again on
this machine (there is no his profile and no network connection!)
My question is: where this user credentials are stored and why Windows 7 works
different than Windows XP?
I remove profiles and logon again when I test some policy settings, logon scripts or registry modifications.
Thanks a lot!
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2012 11:22am
Where are cached credentials stored?
Here, where Paul Bergson said they are in his first post in this discussion:
The cached credentials aren't stored in the users profile, they are stored in the security hive at:
hklm\security\cache ...
As for W7 and XP being different concerning cached credentials, I haven't experimented with that so someone else may have to answer that.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
September 26th, 2012 6:18pm