RE: windows domain question

From: Dubber, Drew B (drew.dubber@eds.com)
Date: 04/19/02 

From: "Dubber, Drew B" <drew.dubber@eds.com>
To: "'Mike Coppins'" <mike@legolas.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Fri, 19 Apr 2002 17:14:42 +0100

Mike

You could check it out reasonably easy. Schedule an AT job on the
workstation to gain a Command Prompt in the SYSTEM context and then run
REGEDIT from that prompt to open the local registry under the SYSTEM
context. Search for the relevant domain SID or name. Check out the SAM key
especially. But I would be surprised if NT *didnt* hold some information,
especially in its backup registry files and last known good config
sub-sections. This is before we even start looking at the file system :)

Regards
Drew
Drew.Dubber@eds.comx (remove x - dull I know)

-----Original Message-----
From: Mike Coppins [mailto:mike@legolas.com]
Sent: 18 April 2002 17:46
To: focus-ms@securityfocus.com
Subject: windows domain question

If you connect a machine to a Windows domain, so things like SIDs change,
machine IDs synchronised, etc, and then disconnected, what happens exactly?
Does the node that gets disconnected generate a new machine SID or does
information get left behind on the node?

Putting the question into a scenario might help :) If a laptop (NT4 or
Win2k) is connected to a domain, then is removed from the domain (as in, an
admin goes into network properties and tells the machine that it is part of
a bog standard workgroup again, is the laptop going to retain any
information that it belonged to a domain before, and possibly security
sensitive information about the domain? 

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/
Currently looking for work: http://www.legolas.com/mikes/cv.html