RE: windows domain question

From: Moorhouse, Walt P (WaltPMoorhouse@eaton.com)
Date: 04/19/02 

From: "Moorhouse, Walt P" <WaltPMoorhouse@eaton.com>
To: "'bejon@supertel.com'" <bejon@supertel.com>, 'Mike Coppins' <mike@legolas.com>, focus-ms@securityfocus.com
Date: Fri, 19 Apr 2002 11:07:40 -0400

I think what Mike was asking is, what happens if a laptop is removed from a
domain, via setting it to a workgroup. It has been my experience that it
will NOT retain the information it needs to reconnect to the domain. For
example, I can take a Win2k laptop that is a member of a WinNT domain, and
change it to be a member of a workgroup called "WORKGROUP." Then if I reboot
and then try to change it back to the domain, it fails. I have to delete
the machine account and then recreate it before I am able to join.
I'm still not exactly sure what Mike was getting at, but if you were afraid
someone might be able to compromise your domain by masquerading as a trusted
machine using information from a machine that is no longer in the domain, I
don't think you have to worry about it.
However, you should definitely remove the machine account from the domain,
if for no other reason than good housekeeping. You can't reconnect (at
least I haven't found a way) the same machine after leaving the domain
without rebuilding that shared key. As far as passwords that may have been
cached, I really didn't have time to research that one, but you are changing
your admin passwords every so often, right? :-)
I'm sure Laura R could tell you exactly what goes on during this process, so
I'll leave it to the expert. ;-)
I hope this helps.

Walt

-----Original Message-----
From: Bejon Parsinia [mailto:bejon@supertel.com]
Sent: Friday, April 19, 2002 12:53 AM
To: 'Mike Coppins'; focus-ms@securityfocus.com
Subject: RE: windows domain question

Mike,

Speaking from experience, depending on the policies in place on the network,
the laptop very well could retain sensitive information about the domain.
My example is as follows, I take my laptop home with me every night. It is
running Win2k Pro. I can leave my login information exactly the same as
when I have it plugged into my domain at the office when I login to the
laptop at home without any sort of VPN or public access to my network.

What does this mean? The laptop contains cached information (username,
password, domain name) that does not necessarily expire. I am just logging
in to use my laptop at home without connecting to any resources other than
my internet connection at the house. Dangerous, you bet. You can run
utilities to capture and recover those passwords very easily. No need to
disconnect it from the domain whatsoever.

Hope this helps,

Bejon

-----Original Message-----
From: Mike Coppins [mailto:mike@legolas.com]
Sent: Thursday, April 18, 2002 9:46 AM
To: focus-ms@securityfocus.com
Subject: windows domain question

If you connect a machine to a Windows domain, so things like SIDs change,
machine IDs synchronised, etc, and then disconnected, what happens exactly?
Does the node that gets disconnected generate a new machine SID or does
information get left behind on the node?

Putting the question into a scenario might help :) If a laptop (NT4 or
Win2k) is connected to a domain, then is removed from the domain (as in, an
admin goes into network properties and tells the machine that it is part of
a bog standard workgroup again, is the laptop going to retain any
information that it belonged to a domain before, and possibly security
sensitive information about the domain? 

--
Mike Coppins
mike@legolas.com
http://www.legolas.com/
Currently looking for work: http://www.legolas.com/mikes/cv.html

Relevant Pages

  • clarification sought in using XP Pro laptop for domain at work and workgroup at home
    ... I am inquiring for a friend. ... The XP Pro laptop was once configured for a two-computer workgroup. ... "WORKGROUP" as the name of its network affiliation. ...
    (microsoft.public.windowsxp.network_web)
  • RE: windows domain question
    ... After joining then leaving the domain into some workgroup, ... Subject: windows domain question ... I think what Mike was asking is, what happens if a laptop is removed from a ... As far as passwords that may have been ...
    (Focus-Microsoft)
  • Re: File and Printer sharing
    ... message "workgroup is not accessable. ... 3--activate guest accounts and sychonize all password and account names. ... desktop running Windows XP Home from the laptop running Windows XP Pro. ... Where do you enter the following NTRights commands? ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cannot view network computers
    ... "Unable to open *View Workgroup Computers* nor access ... "jinnii" wrote: ... connection utility on the laptop and unchecked WZC, ... ping itself but not the PC. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networking XP to Win2K
    ... >I have a desktop running Win2K and a laptop running WinXP sp2. ... ..In my network places the laptop can see the workgroup including the ... Check for a browser conflict between the computers. ...
    (microsoft.public.windowsxp.network_web)