Cached domain credentials in Administrator account of Workgroup computer.

I setup a Windows XP Pro (SP2) computer, added programs, and tweaked the profile inside a secondary local administrator account, i.e., "Admin2". To obtain needed executables on a domain computer, I opened a remote folder via \\Computer_Name\Sharename, and provided the domain username and password when prompted. Then I logged out and logged in as "Administrator" (local), copied the Admin2 profile to the Default User folder. (I don't remember, but I may or may not have accessed the same \\Computer_Name\Sharename while logged in as Administrator).

To test it, I logged back in as Admin 2 and deleted the Administrator profile, then logged back in as Aministrator to recreate the Administrator profile. Here's the kicker: Any \\Computer_Name\Sharename on a Windows 2000 or Windows XP computer on the network in the domain, of which the local computer is not a part, opened via explorer or the run box opens without prompting for username and passsword. In other words, the credentials never cleared, even after several reboots and several attempts to delete and recreate the Administrator profile.

By the way, the account profile used to create the Default User profile, "Admin2" does not itself exhibit this behavior when logged in as Admin2. Checking the Saved Network Password control panel applet for Administrator shows no save passwords. Also, changing the workgroup name and rebooting did not fix the problem.
Napoloen_SoloAsked:
Who is Participating?
 
lamaslanyConnect With a Mentor Commented:
Is the local 'Administrator' password the same as is used on the domain?
0
 
Toni UranjekConsultant/TrainerCommented:
Hi!

Click Start, Run, enter "control userpasswords2", press Enter, go to Advanced tab, click Manage passwords button and check if any netowrk related passwords are stored and the click Remove.

HTH

Toni
0
 
Netman66Connect With a Mentor Commented:
I would expect this.

You stated you created Admin2 BEFORE you copied the Administrator profile over the Default User profile.

Creating a template profile using the Administrator profile is NOT the proper way to do this.

The Administrator profile contains sections of the Registry that refer specifically to the Administrator's HKCU Hive and, thus many of the keys that store information the Administrator has.  Every new user that logs in will have their initial profile built up from Default User (with all the information the Administrator used to have).

Since you no longer have a standard Default User profile (copying from an untouched computer may not work), you'll now have to reload this box to get it back.



0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Napoloen_SoloAuthor Commented:
Thanks to all for your comments. Lamaslany was closest to the mark. Since posting, I received assistance from Microsoft tier 2 support and I learned that the Administrator password, being the same on the PC as other machines on the domain was the cause of the "cached" credentials.

Here's the funny thing: It does not matter if the 2 (or more) workstations in question are in the same workgroup or even if one workstation is in the domain and the other is NOT in the domain. If a username and password match on each workstation in the Local Computer security zone, each will have the other's rights on that workstation through the network.

Netman66, that keys are copied from the Administor's HKCU Hive to the Default User profile is what I intended to happen and is not a problem. In Microsoft KB article 887816 Microsoft states "...Windows XP SP2 Minisetup was modified so that, by default, Mini-Setup will copy any customizations from the local administrator account to the default user account. The default user account is used to build a profile when a new user logs on." This is only a problem if an admin wants to use some other profile than Administrator to customize the Default User profile in which case he can get a hotfix by calling Microsoft.

 
0
 
Netman66Connect With a Mentor Commented:
Yes, the mini-setup wizard will copy them - not you.  It strips off Administrator-specific registry information, whereas a copy does not.

0
 
Napoloen_SoloAuthor Commented:
Then hopefully, after I copied the Administrator profile manually, sysprep recopied and stripped out administrator-specific registry information?
0
 
Netman66Connect With a Mentor Commented:
Nope.

Log in with an Account with Admin rights.
Load the NTUSER.DAT from the Default User Profile.
Search for "Administrator".

You'll see what I'm talking about.

0
 
Napoloen_SoloAuthor Commented:
Thanks Netman66. I beleive you. And I will do that if I have to. Can you point to a reference that delineates what those specific keys are? Possibly I could use ScriptLogic to strip them out if I knew what they were.
0
 
Netman66Connect With a Mentor Commented:
There will be a few.

Everything in the NTUSER.DAT is actually the HKEY_CURRENT_USER registry key.  Initially, the values are REG_EXPAND_SIZE because they use variables.  Once a user's profile is built from it, the variables actually resolve to the proper value in the key.

So, there are paths to Shell Folders, User Shell Folders, etc., that will now point to C:\Documents and Settings\Administrator - for every user created from this template.

You'll have to do a search and record them somehow.

0
 
Napoloen_SoloAuthor Commented:
Thanks, I was able to strip out the few erroneous Administrator Profile references in NTUSER.DAT and replace with %USERPROFILE%. Seems to work fine.
0
All Courses

From novice to tech pro — start learning today.