Cached domain user

Question

Cached domain user

Simas Marcinkevičius 0

Hello,

We are currently facing an issue: we had a domain user with admin privileges, let's say "username123." This user account was disabled a few months ago. On all computers, the path C:/Users/username123 was changed to C:/Users/username123_old, and the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList was also modified.

A few days ago, we attempted to log in to one of the computers using the disabled user account (username123), and the login was successful. I suspect that the username and password were cached in the system: HKEY_LOCAL_MACHINE\Security\Cache.

Since the user was disabled, this computer has been connected to our office LAN multiple times (maintaining a connection to the domain controller). The question is, how can I ensure that this user cannot be used on any of our computers, and how was it possible for the login to succeed despite the user being disabled?

OG question: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/cached-domain-user/6018723a-c5d7-4239-a97f-f2c9cf0b7a25

2 answers

Your answer

Answer 1

Hello Simas Marcinkevičius,

Thank you for posting in Q&A forum.

In my test lab, I can logon the machine.

And after I disable one AD user account, I cannot logon immediately and received the error message below.
User's image

It seems your machine is not connected to domain.

Or maybe AD replication between all Domain Controllers is not working properly. I mean maybe the user account you are using is not disabled in all DCs.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Thameur-BOURBITA 36,506 Moderator

Hi @Simas Marcinkevičius

The cache is used when the computer is disconnected the user login.

If the user is disabled and the computer is disconnected during the user login , he will be able to login

Are you sure that the computer is connected to domain controller before you try login with user 123 account ?

Please don't forget to accept helpful answer

Simas Marcinkevičius 0 Reputation points

2024-01-04T09:21:55.9566667+00:00

Yes, when we tried, it wasn't connected to the domain controller, although it was before. It's odd—I assumed it would sync when connected to the office LAN. Currently, if a user never tries to log in to the admin account while on the office LAN, they can still use that account at home or anywhere else
Thameur-BOURBITA 36,506 Reputation points Moderator

2024-01-04T09:34:20.0866667+00:00

@Simas Marcinkevičius

Yes ,he can use it only if the PC is offline and never connected with domain controller. however he can't access on any remote service because the authentication will fail due to account status in active directory (disabled)

Please don't forget to accept helpful answer
Simas Marcinkevičius 0 Reputation points

2024-01-04T15:10:27.2666667+00:00

This part isn't entirely accurate: "and never connected with the domain controller." You can still be connected if you don't use that account (simply using a personal account when connected). When you go offline, you can still use that account with admin privileges.
Thameur-BOURBITA 36,506 Reputation points Moderator

2024-01-04T15:18:50.1966667+00:00

@Simas Marcinkevičius

admin privilege locally but not on remote computer , because when you access on remote server you need to contact a domain controller for authentication.

Please don't forget to accept helpful answer

Share via

Cached domain user

2 answers

Your answer