Hi
I've just performed a test as I've suspented recently that users were able to log into laptops whose computer account had been deleted.
Basically The test I performed was to create a new Windows 7 VM and join it to our domain. I then logged in as myself to create my profile and make sure domain users could log into it. I then turned the VM off and deleted its computer account. After that I turned the VM back on, and logged in using a test user domain account which hadn't logged in before and therefore wasn't logging into a cached profile.
I'm obviously finding it difficult to understand (as well as very worrisome) that users would be able to log into computers on our domain which don't have computer accounts. From my understanding, when a user logs into a computer, the computer first sends it's username and password to a DC for authentication, and then only if those credentials are authenticated will it pass the users credentials to the DC. So how can the computer be being authenticated when it doesn't have a computer account? Maybe I just misunderstood when I did my AD certification.
Also all this work was done within the same AD site, so site-to-site replication times don't factor in it.
Approximately 3 years ago we brought our network management in-house, having had it previously managed by the now bankrupt 2e2. When we were being managed by them, without us knowing, they changed our user password policy so that users could have a password
of 0 characters, no lock-out policy, etc (basically setting a password policy where users didn't actually need a password). We have obviously fixed this and brought in a much stricter policy. I'm suspecting they may have done something with the computer policy
but I don't know where to verify that.
Any help would be much appreciated.
David