Bugtraq mailing list archives
Re: NT
From: ko () MARCH CO UK (Y W Ko)
Date: Thu, 20 Feb 1997 11:12:33 -0000
Hi all,
-----Original Message----- From: stuart () brody sonnet co uk [SMTP:brody () GPO SONNET CO UK] Sent: Wednesday, February 19, 1997 4:22 PM To: BUGTRAQ () NETSPACE ORG Subject: NT I don't know if you people out there no this - until I rattled Microsofts cage they didn't know that much either: Problem Description: When using the NET USER command to query users in-correct information is returned. If NET USER is used in another way then the user id is corrupted. (not given as I don't want to assist anybody wrecking their own domain) <<<< snip >>>>> Text: In a recent audit of user accounts on a clients site a queried users using the NET USER command (NET USER <UserID> /DOMAIN) to establish when users last logged into the domain, after trying 10 users (including my own) it soon became apparent that the returning values were extremely suspect, NT was claiming that the last login date and time was NEVER, even though I was signed onto the system. <<<< snip >>>>>>>
However, if this is rubbish then how does NT then determine when users passwords expire (how does NT work out what date to get the user to change password on) and how does the Audit Log/Event Viewer then log when a user signs in, for this situation the check would need to be done 8 times; the consequences of which undermine the C2 compliance and opens a whole can of worms. <<<< snip >>>> It is actually more confusing than that. The following is quoted from the SDK on line help that comes with VC++ 4.2: < start quote > USER_INFO_3 : : usri3_bad_pw_count Specifies the number of attempts to log on to this account using an incorrect password. ..... This member is maintained separately on each Backup Domain Controller (BDC) in the domain. To get an accurate value, each BDC in the domain must be queried, and the largest value is used. < end quote > The last bit, that "the largest value is used", is really mind-boggling. This applies to other logon information such as, number of logons and last logon/logoff time. I can sort of see some logic for last logon/logoff time. But the fact that one of the BDC contains the largest bad password or num logon counts is beyond me. In any case, does all this mean that if one of the BDC which contains "some" of these "largest values" goes down, we won't be able to accurately validate such important logon information.
Stuart Ross inquiry () brody sonnet co uk Cheers, Ko
Current thread:
- Re: NT Y W Ko (Feb 20)