How did user log into a machine when domain account was disabled?

I have a Windows XP Pro machine on our domain.  I have a Windows 2003 server as the domain controller.  I have a user that somehow bypassed me disabling their account.  I want to know how this can happen so I can prevent it in the future.  Here is what I know about the situation...

Administrator and the domain user were administrators on the local machine.
guest account was enabled
local administrator account had secure password
I disabled the domain user's account on the DC and changed the password
I logged into the machine as a test and was denied access

They still got in...  I go into event viewer and found a few strange entries:

====
ID: 576
Source: Security
Category: Privilege Use

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x 189507B1)
Privileges: SeBackupPrivilege
                 SeRestorePrivilege
                 SeDebugPrivilage
                 SeChangeNotifyPrivilege
====
ID: 540
Source: Security
Category: Logon/Logoff

Successful Network Logon:
User Name: ComputerName$
Domain: DomainName
Logon ID: (0x0,0x 189507B1)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {stuff}
====
ID: 538
Source: Security
Category: Logon/Logoff

User Logoff:
User Name: ComputerName$
Domain: DomainName
Logon ID: (0x0,0x 189507B1)
Logon Type: 3

...  So, I ask...  What happened so I can prevent this in the future?
Thanks!
mlamartinaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
johnb6767Connect With a Mentor Commented:
Any chance they disconnected the LAN cable, and used a cached profile?
0
 
mlamartinaAuthor Commented:
JohnB6767,

Great suggestion.  With Cat6 plugged in, it denied me access to the user's account.  I yanked the cable and wouldn't you know, it let me in!  I'm SO disappointed in Microsoft right now, you can't imagine!

However, I have a question.  Let's say the user was Joe Smith using the domain account JSmith and the machine name was Desktop50.  When I was allowed in using JSmith, I looked in the event viewer and it showed that JSmith was the account that logged into the computer.  When this happened and the user did whatever they did, it showed that "Desktop50$" was the one who logged in.

Ideas?
Thanks!
0
 
giltjrCommented:
Next time, change their password, logon to the computer with the NEW password, then disable their account.  The cached credentials will now have the new password, which they should not know.

Actually best bet may to be logon with an admin ID and delete their domain account from the computer and delete their user directory on the computer.

0
 
johnb6767Commented:
Thats strange for that entry.....


When the desktop50$ logged in what was the logon type code, 2 or 11?
0
All Courses

From novice to tech pro — start learning today.