How did user log into a machine when domain account was disabled?

I have a Windows XP Pro machine on our domain.  I have a Windows 2003 server as the domain controller.  I have a user that somehow bypassed me disabling their account.  I want to know how this can happen so I can prevent it in the future.  Here is what I know about the situation...

Administrator and the domain user were administrators on the local machine.
guest account was enabled
local administrator account had secure password
I disabled the domain user's account on the DC and changed the password
I logged into the machine as a test and was denied access

They still got in...  I go into event viewer and found a few strange entries:

====
ID: 576
Source: Security
Category: Privilege Use

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x 189507B1)
Privileges: SeBackupPrivilege
                 SeRestorePrivilege
                 SeDebugPrivilage
                 SeChangeNotifyPrivilege
====
ID: 540
Source: Security
Category: Logon/Logoff

Successful Network Logon:
User Name: ComputerName$
Domain: DomainName
Logon ID: (0x0,0x 189507B1)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {stuff}
====
ID: 538
Source: Security
Category: Logon/Logoff

User Logoff:
User Name: ComputerName$
Domain: DomainName
Logon ID: (0x0,0x 189507B1)
Logon Type: 3

...  So, I ask...  What happened so I can prevent this in the future?
Thanks!
mlamartinaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnb6767Commented:
Any chance they disconnected the LAN cable, and used a cached profile?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mlamartinaAuthor Commented:
JohnB6767,

Great suggestion.  With Cat6 plugged in, it denied me access to the user's account.  I yanked the cable and wouldn't you know, it let me in!  I'm SO disappointed in Microsoft right now, you can't imagine!

However, I have a question.  Let's say the user was Joe Smith using the domain account JSmith and the machine name was Desktop50.  When I was allowed in using JSmith, I looked in the event viewer and it showed that JSmith was the account that logged into the computer.  When this happened and the user did whatever they did, it showed that "Desktop50$" was the one who logged in.

Ideas?
Thanks!
0
giltjrCommented:
Next time, change their password, logon to the computer with the NEW password, then disable their account.  The cached credentials will now have the new password, which they should not know.

Actually best bet may to be logon with an admin ID and delete their domain account from the computer and delete their user directory on the computer.

0
johnb6767Commented:
Thats strange for that entry.....


When the desktop50$ logged in what was the logon type code, 2 or 11?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.