question

RaymondHellberg-7759 avatar image
0 Votes"
RaymondHellberg-7759 asked DaisyZhou-MSFT commented

"NT-Autority\System" impersonated or overtaken? GPO-problems.

Hi all, was reseaching a GPO-problem on a single W10_1903 PC.

DNS, DFS and evereything else seemed okay, except from all the GPO-errors in the Event Log.

But when I from a psexec command prompt, (running "WhoAmI" gives "NT-Autority\System" for sure) ran "dir \\<domain.com>\SysVol" I got: "Wrong username or password". Running that several times locked another domain account, whitch is a local administrator on that computer.

So to me it seems like that other domain account has "taken over" the NT-Autority\System account in some way. Any hints appreciated, thanks.

windows-10-generalwindows-10-securitywindows-group-policywindows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RaymondHellberg-7759,

Good day!
Would you please tell me how things are going on your side. If you have any questions or concerns about the post, please don't hesitate to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered

I would put the PC into a workgroup, and then delete it's computer account from the domain. Then check all of the domain controllers to verify that it's account does not exist on any of them. Then re-join it to the domain and put its account in the correct OU.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @RaymondHellberg-7759,

Thank you for posting here.

Based on the description, I did a test in my lab, I got the result successfully.

24967-sy.png


We can check:

1.Check whether we can logon this computer with any domain account. If no, we may need to disjoin the computer from domain and then rejoin the computer to domain OR reset the secure channel password.

1)Logon this computer with built-in local Administrator.
2)Open CMD and run as Administrator.
3)Type Netdom resetpwd /s:target_server /ud:mydomain\domain_admin /pd:* and click Enter.

/s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
/ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
/pd: specifies the password of the user account that is specified in the /ud parameter. Use an asterisk () to be prompted for the password.

2.If we access another shared folder on the DC or domain file server, can we access?

3.Check whether only this domain-joined computer has this issue.

4.What is your GPO-errors in the Event Log, what settings we have configured in this GPO.

5.Check what account (local account or domain account) do we use to logon this computer, if we change another account (local account or domain account), check whether the issue persists.

6.Check whether we have a domain account with the same name as this computer.



Best Regards,
Daisy Zhou


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



sy.png (155.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaymondHellberg-7759 avatar image
0 Votes"
RaymondHellberg-7759 answered DaisyZhou-MSFT commented

Thanks all, but none of the suggested solutions worked. I even tried ro reset Windows. Also searched the whole registry for that account that got locked in case something there had got messed up, bu did not find it at all.
I ended up with wipe&reinstall, all well with that one now. I hope there are not more of these in our domain, that sympthom seems a bit scary...

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RaymondHellberg-7759,

Thank you for your update.

I am so glad that there is no such issue by reinstalling the OS.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou





0 Votes 0 ·