If I disable a computer account in AD, am I not supposed to be able to login to the domain using this computer?
I tested this, I have a computer joined to the domain (Windows 10), I disabled the computer account and I rebooted the client machine and then I attempted to login to the computer with a domain user account, it worked.
My thinking is, I shouldn't be allowed to login using the disabled computer even if I am logging in with valid user credentials because the computer account is disabled.
I can understand if the computer was not on the network, it wouldn't be able to contact the AD for updated information and as such I would still be able to login as a domain user because of cached credentials, etc.
I tried rebooting the computer, resetting the computer account, disabling/enabling it, etc.. somehow I am still able to login to the domain using this computer!!
What I want is if the computer account is disabled that NO ONE can login using that computer to the domain.
The idea is, I want to clean up our Active Directory computers by disabling those that have a LastLogin date older than 90 days.. with some assurance that if I do this and those disabled computers were plugged back into the network that they cannot login even if you are trying to login with valid domain user credentials because the actual computer account is disabled.
No comments:
Post a Comment