w2k syskey and domain - client issues
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: w2k syskey and domain - client issues

  1. #1
    Junior Member
    Join Date
    Dec 2003
    Posts
    5

    w2k syskey and domain - client issues

    this may be a stupid one, but anyway, here it goes.

    i was tinkering with an win2k machine and, in an attempt to change the *local* administrator password, the program doing it disabled syskey. now the system allows me to login as an admin locally, but any *domain* logon is refused by the server with an typical 'incorrect password or user' error message. the thing i want to know is if disabling the syskey protection may affect the client - domain relation.
    /i was logging in at the domain with an blank-password user, so it can't be simply a password typing error/

    [edit] jesus, i already told i'm new here. i can't make out who wants to ban me for this post. :\[/edit]

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    why not just turn syskey back on?

    start, run, type syskey.exe and turn encryption back on.

    you may want to delete that computer from the domain then then readd it.

    if syskey is required to log into the domain, then yes... it could cause you not to get authenticated.

    I thought that syskey is only used for the local machine though? Not for logging into the domain? What type of domain are you using? NT4 or 2k with active directory?

    thats a little strange though... because I thought once syskey is enabled, it can't be disabled?

    what did you use? The ntoffline password recovery?

    and, what are you talking about someone trying to ban you? if someone assigned you points, it must not have counted (showed up as grey) because the status of this thread is even....
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Junior Member
    Join Date
    Dec 2003
    Posts
    5
    >> you may want to delete that computer from the domain then then readd it.

    impossible. i'm not a domain administrator.

    >> What type of domain are you using? NT4 or 2k with active directory?
    domain is on w2k, too.

    >>thats a little strange though... because I thought once syskey is enabled, it can't be disabled?
    >>
    >>what did you use? The ntoffline password recovery?
    yup. the event, chronologically to be specific:
    1. remote logon was working
    2. used password recovery (see below)
    3. remote logon wasn't working

    quote:
    blah blah blah,
    ***************** SYSKEY ENABLED! **************

    SYSKEY is on! However, DO NOT DISABLE IT UNLESS YOU HAVE TO!
    This program can change passwords even if syskey is on, however
    if you have lost the key-floppy or passphrase you can turn it off,
    but please read the docs first!!!
    blah,
    *** NOTE: On WINDOWS 2000 it will not be possible
    *** to turn it on again! (and other problems may also show..)
    blah
    NOTE: Disabling syskey will invalidate ALL
    passwords, requiring them to be reset. You should at least reset the
    administrator password using this program, then the rest ought to be
    done from NT.

    Do you really wish to disable SYSKEY? (y/n) [n]
    blah blah.

    and so i thought it might be the Syskey's fault. any other possibilities?


    oh, btw.
    >> and, what are you talking about someone trying to ban you? if someone assigned you points, >> it must not have counted (showed up as grey) because the status of this thread is even....

    this post was on m$ board at the very beggining of this *sleepless* night, but i've got a warning to delete the original. :\ doesn't matter right now, anyway.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ok, if you are not the admin, then you have no right to even be messing about with the password recovery programs.

    Watch out for the network nazis!!!!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well, the computer's domain account credentials are stored in the lsass which is encrypted with the syskey, so by disabling syskey (in fact dropping all syskey encrypted info and starting from scratch), you lost your computer's domain account's password.

    Re-joining the domain (ie: delete the old computer account from AD then re-join) should fix it.

    (I don't know this *for fact* but I believe it's the explanation... Someone correct me if I'm wrong or it doesn't work!)


    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    ammo: thats what I suggested too. though, you gave a better reason for why.

    however... he is stuck anyway. he isn't an admin and can't rejoin it.

    btw: thanks for clearing that up. I thought that syskey was only for the local machine... didn't know that the domain credentials were also stored there. figures as much.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Junior Member
    Join Date
    Dec 2003
    Posts
    5
    phishphreek80: being an owner of a terminal doesn't mean you've got to be a lan administrator. i don't see where's the 'big old hacker' part...

    ammo:
    *** Re-joining the domain (ie: delete the old computer account from AD then re-join) should fix it.

    i guess you're right. as far as i can't dabble with the network itself, the op won't be happy with it, but telling him what to do to make everything work should ease his pains. :P

    anyway, we'll see what happens next. sun is rising in poland, so it's time to go to work. :P

  8. #8
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Another thing to try is to disjoin the computer from the domain, rename the computer, then rejoin the computer to the domain under the new computer name. Sometimes the SIDs and the Computer ID both become corrupt, and by doing the above you force the PC to cache a new copy of the SIDs from the domain SAM database. This won't fix any local account SIDs. For that, you'll need an ERD.

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by LifeSound
    phishphreek80: being an owner of a terminal doesn't mean you've got to be a lan administrator. i don't see where's the 'big old hacker' part...
    I suppose your right. Everyone has different policies.... if you were using those types of tools and playing with the machines like that where I work... you'd find yourself quickly without a job/network access. But... everywhere is different.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by phishphreek80
    I thought that syskey was only for the local machine... didn't know that the domain credentials were also stored there.
    Just to clarify my use of "credentials", it's the computer's "username" and password that are stored in the lsass so that it gives these to the (K)DC in order to login to the domain.

    With NT/AD domains, both computers and users have to authenticate to the domain before being able to work.

    So when the computer connects, it sends in it's computername and password to the domain, then the user logs on by sending it's username and password...

    The lsass (part of the registry) holds the infos (user/pass) for all "system" accounts (including the IIS_USER and other services users managed by the system), as well as cached user logins.


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •