Is the "net user <username> /domain" reliable

fretagi

New member
Local time
9:46 AM
Messages
6
Hi

Lately I have noticed that either my desktop and laptop are being accessed while I am away or even when I am logged in into the domain of my organization! On both of them I have user profiles of some users, and when running the following:

net user <username> /domain | findstr /C:"Last logon"

I see that some of my colleagues have been logged in. last night before I left home, I have unplugged the network cable of my desktop, but today when I run the command I see that one guy has looged in last night when apparently there was no connectivity, because I have unplugged the network cable.
Please can you help me, is this command reliable or somebody is really logging in on my pc!
 

My Computer My Computer

At a glance

windows 7 32 bit
Computer type
Laptop
Computer Manufacturer/Model Number
Dell
OS
windows 7 32 bit
Why would not the command be reliable?

Unplugging the network will not stop anyone from logging in into the local computer, even with a domain account (as the credentials are cached). When in doubt, don't play games with a potential attacker, just change your password and leave him out of your computer.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Hi

Thanks for the reply, the guys who are login into my desktop, they are from IT department, and they have their profiles on my desktop. I even delete the profiles, but they still managed to get in. Would a password change prevent them from login in future? I have disable the "switch user" option, and they still managed to get in as well. Please help me prevent these guys to mess around on my pc.
 

My Computer My Computer

At a glance

windows 7 32 bit
Computer type
Laptop
Computer Manufacturer/Model Number
Dell
OS
windows 7 32 bit
Now that's a different occurrence. I'm assuming you have a domain there. Within domains one important characteristic is that user accounts work in every account attached to it, no matter what (that's called "roaming"), so both your account and theirs will serve to login in any domain-joined computer, there is no way around this.
Moreover, for users that are domain administrators, they also get local administrative power in every domain computer they want, all that being by design.

You cannot simply "delete their profiles" from your computer, as the user accounts live in the domain controller actually (and the c:\users\<name> folder contains just settings and is regenerated if you delete it). Neither would do a password change as I mentioned earlier, you can change your password, but they're not using it, they're using theirs, which is outside of your control.

The big question is why do they do this? Being IT staff, I could guess there is a business reason for it? Or just for making fun on anyone? To me this seems one situation that's handled more by talking rather than by blocking.
Another question would be what damage can they actually do. As they use different account, your settings and most configuration would be unaffected, and if you keep your data under your profile it would be difficult to get at it at all. Unless they're domain admins, in which case they own you. What exactly bothers you in all this? What do you want to protect against?

Technically, there is little to do about this. Login everywhere is an inherent feature of domains and the way it's meant to work. If you really want to prevent it, you could take the computer out of the domain, so domain accounts no longer work (not even yours), or a more drastic approach can be to use full disk encryption, so that without a password, Windows won't even boot. Both require local admin access. And most likely, corporate authorization to tamper with their computers.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Hi
Thanks for the reply. I dont know why they are doing this, perhaps they are trying to make a point, because they are windows guys, I am a unix guy, or perhaps there is politics involved as well, I dont know. The fact is that I am not comfortable with this, and I want this to stop. I dont know how!!
 

My Computer My Computer

At a glance

windows 7 32 bit
Computer type
Laptop
Computer Manufacturer/Model Number
Dell
OS
windows 7 32 bit
There is no way to prevent this, as long as you don't own the computer and have full control over its accounts. Being part of a domain means that anyone within the domain can login in every computer in the domain, plain and simple. This includes your computer and those "IT" guys.

If you can take control of the computer, just remove from the domain and the attack is over. But I guess it's your work computer, and as such you don't have that power. As I said earlier, full-disk encryption is one possible way to add another password outside of the domain thing (which is also nice to protect against offline attacks).

The nature of this is pretty much the same on Windows than on any Unix variant: if you have a user account, know its password and is enabled, you can login, period. The twist is that, in Windows computers attached to a domain, every domain user also works in every domain computer.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Hi
Thanks for the reply, you are right, its my office computer, I cannot remove from the domain. I will now investigate how to proceed with full-disk encryption.
thanks for the inputs
 

My Computer My Computer

At a glance

windows 7 32 bit
Computer type
Laptop
Computer Manufacturer/Model Number
Dell
OS
windows 7 32 bit
Since this is your work computer, I would highly recommend against trying to encrypt the disk yourself and also with trying to keep your IT people from reaching your computer.

Have you tried talking to your IT group to see why they are logging into your computer? Do you believe that IT is trying to do something malicious to your computer while you are not there? If you do believe that they are messing up your computer then you should try talking to your management about it.
 

My Computer My Computer

At a glance

Windows 7 32 bit Pro
Computer type
PC/Desktop
OS
Windows 7 32 bit Pro
Hi

yes, I have already taken this matter to management, they are now taking over.
 

My Computer My Computer

At a glance

windows 7 32 bit
Computer type
Laptop
Computer Manufacturer/Model Number
Dell
OS
windows 7 32 bit
Just a thought.

Is it possible that the I.T. Department is entering your computer to do maintenance or updating things.
 

My Computer My Computer

At a glance

Windows 10 Pro. 64/ version 1709 Windows 7 Pr...Intel i7-6800K @ 4.3Corsair Platinum 16 gig @2400EVGA GTX 1070 OC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home made Desktop
OS
Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
CPU
Intel i7-6800K @ 4.3
Motherboard
ASUS X-99 Deluxe II
Memory
Corsair Platinum 16 gig @2400
Graphics Card(s)
EVGA GTX 1070 OC
Monitor(s) Displays
Asus 27" LED LCD/VE278Q
Screen Resolution
1920-1080 or 1280-720 HDMI
Hard Drives
INTEL SSD 730-240 Gb Sata 3.0/
PSU
EVGA Platium 1200W
Case
Phanteks Luxe Tempered Glass 8 fans/ one radiator
Cooling
XSPC/ Water Cooled CPU
Keyboard
Das 4 Professional
Mouse
Logitech M705/MX Anywhere 2-S
Internet Speed
100 mbits
Antivirus
Microsoft Security Essentials/ Malwarebytes Premium 3.0/ SAS
Browser
I.E. 11 default/Firefox/ ISP Time Warner Cable/Spectrum
Other Info
LG BluRay Burner/
Sound system-KLipsch-THX/
Icy Dock ssd Hot Swap bays.
Hi

Why is it I cannot see the same information given by "net user <username> /domain | findstr /C:"Last logon" on event viewer?
 

My Computer My Computer

At a glance

windows 7 32 bit
Computer type
Laptop
Computer Manufacturer/Model Number
Dell
OS
windows 7 32 bit
Back
Top