Logon with disabled admin account possible!
From: Franz Schenk (franz.schenkNOSPAM_at_fititNO-_SPAM.ch)
Date: 07/26/04
- Next message: Roger Abell: "Re: Logon with disabled admin account possible!"
- Previous message: Bob Qin [MSFT]: "Re: Problem publishing crl on EntCA"
- Next in thread: Roger Abell: "Re: Logon with disabled admin account possible!"
- Reply: Roger Abell: "Re: Logon with disabled admin account possible!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 15:02:13 +0200
We have a network with Windows Server 2003 active directory with two DC's:
One is Windows 2000 Server SP4, the other is Windows 2003 Server. Each
system has all windows security updates applied.
The customer has discovered that his is able to logon locally or over a
terminal session with the disabled admin account, and we are able to
reproduce this behaviour every time!!!
- This works only on the Windows 2000 DC, logon to the Windows 2003 DC is
not possible as it should.
- There are no errors on both DC in the DNS and Directory Service event
logs. replmon.exe shows successful replication on all AD partitions.
- On the Windows 2000 DC in the application eventlog, there are 4 1015
Perflib error messages and one Userenv 1000 Message "Windows cannot
determine the user or computer name. Return value (1317). " After logging on
to the Windows 2000 DC. Logging on with the disabled AD administrator
account takes a long time, but it works!
never thought that there are such security holes still open
Thanks in advance for any advice
Franz
- Next message: Roger Abell: "Re: Logon with disabled admin account possible!"
- Previous message: Bob Qin [MSFT]: "Re: Problem publishing crl on EntCA"
- Next in thread: Roger Abell: "Re: Logon with disabled admin account possible!"
- Reply: Roger Abell: "Re: Logon with disabled admin account possible!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
