Share via

Active Directory :: Deleted Domain Admin Account Still Usable on Client Systems

Monika 0 Reputation points
2025-06-07T14:07:52.5066667+00:00

I have a local Active Directory environment on Windows Server 2022 with approximately 100 domain-joined client systems. For support and administrative tasks on client machines, I had created a dedicated user account with administrative privileges in the domain.

As part of our security hygiene, the credentials (either the username or password) of this account are rotated weekly. However, I’ve recently observed a critical issue: even after the support account was deleted from Active Directory, it can still be used on client machines to perform elevated operations.

This raises a significant security concern, as it indicates that deleted or disabled accounts may still retain local elevation capabilities on client systems. Despite the account no longer existing in AD, it appears to function locally on the clients.

I am unable to identify the root cause or resolve this issue. I would appreciate guidance or support in remediating this issue.

Windows Server 2022
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 48,760 Reputation points MVP Volunteer Moderator
    2025-06-07T17:03:49.52+00:00

    The behavior you're observing happens because:

    1. Kerberos tickets are cached locally (in memory) on the client and are valid until they expire, regardless of whether the account still exists in AD.
    2. If the ticket is still valid, it can be used for authentication and SSO-based elevation (e.g., for runas, scheduled tasks, services, etc.).
    3. In certain configurations, cached credentials (for offline login) may also allow a deleted user to appear functional temporarily, but Kerberos is the main culprit for continued privilege.

    Check these domain-wide Kerberos policy settings (via GPO or Default Domain Policy):

    • Maximum lifetime for user ticket (TGT): Default: 10 hours
    • Maximum lifetime for service ticket: Default: 600 minutes (10 hours)
    • Maximum tolerance for computer clock synchronization: Default: 5 minutes

    So even after deleting the user from AD:

    • If the Ticket-Granting Ticket (TGT) is still valid, it can be reused until expiration.
    • The client doesn't revalidate the account's AD status unless a new TGT is requested (e.g., after logoff/logon or ticket purge).

    To confirm, run the following on the computer where you're seeing this issue:

    klist

    You'll likely see:

    • A valid TGT (krbtgt/DOMAIN)
    • A ticket for the local admin task (e.g., cifs/machine, host/machine)

    To remediate, you would need to purge Kerberos tickets immediately by running (on the target computer)

    klist purge

    This clears the Kerberos ticket cache from memory, forcing a reauthentication — which will now fail if the account is deleted.

    You could also consider setting shorter ticket lifetimes (note this will not prevent the behavior you're seeing - but lower its potential impact)

    In GPO:

    Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Kerberos Policy

    Recommendations for tighter security:

    • Maximum lifetime for user ticket (TGT): 4 hours or less
    • Maximum lifetime for service ticket: 2 hours
    • Enforce user logoff after logon hours expire: Enabled

    Lower values reduce exposure if a privileged account is deleted or compromised.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.