Is the "net user <username> /domain" reliable

[fretagi]

Hi

Lately I have noticed that either my desktop and laptop are being accessed while I am away or even when I am logged in into the domain of my organization! On both of them I have user profiles of some users, and when running the following:

net user <username> /domain | findstr /C:"Last logon"

I see that some of my colleagues have been logged in. last night before I left home, I have unplugged the network cable of my desktop, but today when I run the command I see that one guy has looged in last night when apparently there was no connectivity, because I have unplugged the network cable.
Please can you help me, is this command reliable or somebody is really logging in on my pc!

 

[Alejandro85]

Why would not the command be reliable?

Unplugging the network will not stop anyone from logging in into the local computer, even with a domain account (as the credentials are cached). When in doubt, don't play games with a potential attacker, just change your password and leave him out of your computer.

 

[fretagi]

Hi

Thanks for the reply, the guys who are login into my desktop, they are from IT department, and they have their profiles on my desktop. I even delete the profiles, but they still managed to get in. Would a password change prevent them from login in future? I have disable the "switch user" option, and they still managed to get in as well. Please help me prevent these guys to mess around on my pc.

 

[Alejandro85]

Now that's a different occurrence. I'm assuming you have a domain there. Within domains one important characteristic is that user accounts work in every account attached to it, no matter what (that's called "roaming"), so both your account and theirs will serve to login in any domain-joined computer, there is no way around this.
Moreover, for users that are domain administrators, they also get local administrative power in every domain computer they want, all that being by design.

You cannot simply "delete their profiles" from your computer, as the user accounts live in the domain controller actually (and the c:\users\<name> folder contains just settings and is regenerated if you delete it). Neither would do a password change as I mentioned earlier, you can change your password, but they're not using it, they're using theirs, which is outside of your control.

The big question is why do they do this? Being IT staff, I could guess there is a business reason for it? Or just for making fun on anyone? To me this seems one situation that's handled more by talking rather than by blocking.
Another question would be what damage can they actually do. As they use different account, your settings and most configuration would be unaffected, and if you keep your data under your profile it would be difficult to get at it at all. Unless they're domain admins, in which case they own you. What exactly bothers you in all this? What do you want to protect against?

Technically, there is little to do about this. Login everywhere is an inherent feature of domains and the way it's meant to work. If you really want to prevent it, you could take the computer out of the domain, so domain accounts no longer work (not even yours), or a more drastic approach can be to use full disk encryption, so that without a password, Windows won't even boot. Both require local admin access. And most likely, corporate authorization to tamper with their computers.

 

[fretagi]

Hi
Thanks for the reply. I dont know why they are doing this, perhaps they are trying to make a point, because they are windows guys, I am a unix guy, or perhaps there is politics involved as well, I dont know. The fact is that I am not comfortable with this, and I want this to stop. I dont know how!!

 

[Alejandro85]

There is no way to prevent this, as long as you don't own the computer and have full control over its accounts. Being part of a domain means that anyone within the domain can login in every computer in the domain, plain and simple. This includes your computer and those "IT" guys.

If you can take control of the computer, just remove from the domain and the attack is over. But I guess it's your work computer, and as such you don't have that power. As I said earlier, full-disk encryption is one possible way to add another password outside of the domain thing (which is also nice to protect against offline attacks).

The nature of this is pretty much the same on Windows than on any Unix variant: if you have a user account, know its password and is enabled, you can login, period. The twist is that, in Windows computers attached to a domain, every domain user also works in every domain computer.

 

[fretagi]

Hi
Thanks for the reply, you are right, its my office computer, I cannot remove from the domain. I will now investigate how to proceed with full-disk encryption.
thanks for the inputs

 

[cgc018]

Since this is your work computer, I would highly recommend against trying to encrypt the disk yourself and also with trying to keep your IT people from reaching your computer.

Have you tried talking to your IT group to see why they are logging into your computer? Do you believe that IT is trying to do something malicious to your computer while you are not there? If you do believe that they are messing up your computer then you should try talking to your management about it.

 

[fretagi]

Hi

yes, I have already taken this matter to management, they are now taking over.

 

[Layback Bear]

Just a thought.

Is it possible that the I.T. Department is entering your computer to do maintenance or updating things.

 

[fretagi]

Hi

Why is it I cannot see the same information given by "net user <username> /domain | findstr /C:"Last logon" on event viewer?