SBS 2011 workstations can use old Admin password

SBS 2011, admin password was changed, logged out and back into server with new password. The users are not administrators on their computers so someone with the admin password enters it when needed for an installation or download. The workstations are still able to use the old admin password, for how long I don't know but I'm assuming probably until the computer is restarted. Is there a way to avoid this?
LVL 1
dpachecoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Try changing it again and this time restart the server. This will disconnect Workstations and make them connect again
dpachecoAuthor Commented:
I'll try restarting the server, I think I did do that after changing the password but not 100% sure.
JohnBusiness Consultant (Owner)Commented:
Make sure Workstations are logged off and once the server has restarted, ask users to restart their Workstations
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Lee W, MVPTechnology and Business Process AdvisorCommented:
The Domain Administrator account password will change instantly.  If you used the same password for the LOCAL administrator accounts (and even if you didn't), your changing the domain admin account does ABSOLUTELY NOTHING for them.  If the PCs in question are disconnected from the network, then the local cached copy of the domain admin password will still work until the next time the domain admin logs in to the system.

You might want to look into the Local Administrator Password Solution (LAPS): https://www.microsoft.com/en-us/download/details.aspx?id=46899
dpachecoAuthor Commented:
The local admin account is not and has never been the same as the domain administrator, every computer has a different local admin with a different password. The PC's in question were not disconnected from the network. The workstation I tested this morning now requires the new password, neither it nor the server have been restarted. I logged in as the same user this morning as I did this afternoon, no one used the computer today. I would assume this has to do with caching the password. It sounds like I'll need to have users restart their computers each time the domain administrator password is changed or we'll need to use the local admin account when needed.
JohnBusiness Consultant (Owner)Commented:
It sounds like I'll need to have users restart their computers each time the domain administrator password is changed or we'll need to use the local admin account when needed.

I would restart the workstations. If you change the domain admin password each 90 days, this is not a big issue. And the restart seems to have worked for you to prevent local caching.

However if the domain admin password was changed and the server restarted right after (so do this in a slow period), then the workstation cache should not work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dpachecoAuthor Commented:
John - the restart did not work as I didn't restart the workstation - in the morning the old password worked and in the afternoon it did not. The only thing that happened on that particular workstation is I logged on and off as a standard user. I do agree it is a cached password issue. At the next password change I will test again by selecting a couple of workstations and restart them just to make sure they are connected but not logged in, change the admin password, restart the server and log into the server with the new password. I'll then login as a user on one of the workstations and make a change that requires admin password. If it accepts the old password then I'll restart the workstation and check it again. Thanks.
JohnBusiness Consultant (Owner)Commented:
Thanks for the update and I was happy to help you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.