SBS 2011 workstations can use old Admin password

dpacheco
dpacheco used Ask the Experts™
on
SBS 2011, admin password was changed, logged out and back into server with new password. The users are not administrators on their computers so someone with the admin password enters it when needed for an installation or download. The workstations are still able to use the old admin password, for how long I don't know but I'm assuming probably until the computer is restarted. Is there a way to avoid this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Try changing it again and this time restart the server. This will disconnect Workstations and make them connect again

Author

Commented:
I'll try restarting the server, I think I did do that after changing the password but not 100% sure.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Make sure Workstations are logged off and once the server has restarted, ask users to restart their Workstations
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
The Domain Administrator account password will change instantly.  If you used the same password for the LOCAL administrator accounts (and even if you didn't), your changing the domain admin account does ABSOLUTELY NOTHING for them.  If the PCs in question are disconnected from the network, then the local cached copy of the domain admin password will still work until the next time the domain admin logs in to the system.

You might want to look into the Local Administrator Password Solution (LAPS): https://www.microsoft.com/en-us/download/details.aspx?id=46899

Author

Commented:
The local admin account is not and has never been the same as the domain administrator, every computer has a different local admin with a different password. The PC's in question were not disconnected from the network. The workstation I tested this morning now requires the new password, neither it nor the server have been restarted. I logged in as the same user this morning as I did this afternoon, no one used the computer today. I would assume this has to do with caching the password. It sounds like I'll need to have users restart their computers each time the domain administrator password is changed or we'll need to use the local admin account when needed.
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
It sounds like I'll need to have users restart their computers each time the domain administrator password is changed or we'll need to use the local admin account when needed.

I would restart the workstations. If you change the domain admin password each 90 days, this is not a big issue. And the restart seems to have worked for you to prevent local caching.

However if the domain admin password was changed and the server restarted right after (so do this in a slow period), then the workstation cache should not work.

Author

Commented:
John - the restart did not work as I didn't restart the workstation - in the morning the old password worked and in the afternoon it did not. The only thing that happened on that particular workstation is I logged on and off as a standard user. I do agree it is a cached password issue. At the next password change I will test again by selecting a couple of workstations and restart them just to make sure they are connected but not logged in, change the admin password, restart the server and log into the server with the new password. I'll then login as a user on one of the workstations and make a change that requires admin password. If it accepts the old password then I'll restart the workstation and check it again. Thanks.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thanks for the update and I was happy to help you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial