Local Administrator can connect to Domain

Hi,

I have a domain managed by Windows Server 2003 Std Ed .

Recently I removed a computer (Windows 7 Pro) from the domain.
I was shock when I discovered that the Local Administrator from that removed PC , had actually access to the domain shared files, as a Domain Administrator.

That means, any computer connected to the network, not even beloging to the Domain, is able to get access to my Domain resources just with their local Administrator Account.

Seems that the domain is considering the Local Administrator as an Domain Administrator. but the Computer is not even member of the Domain ! so what's going on ?

I'm expacting that computers not belonging to a Domain, should not even able to see any shared resources by a domain which is not member of.

Can somebody tell me what's going on ?

Is this a problem with Windows 7 Client/Server 2003 compatibility?

How can I find the insecurity hole causing this ?

Thanks

What makes you think an un-authenticated user is connecting to this share as a "Domain Admn." The user is most likely connecting to an open share because you are sharing the folder to the everyone group.On 2003 server The everyone group means everyone.You should be restricting your share to the "Domain Users" group Or The "Authenticated users" group of your domain if you dont want everyone to see them. I personaly use the everyone group on my shares, then lock down the folders and files with NTFS permissions.

Does the Domain admin and the local admin share the same password?

how would the sids match up even with the same password

what local administrator account? Usually the built-in local administrator account is hidden from the login screen.

The SIDS don't need to match up, when you request access it authenticates with username and password

I see your point but but this isnt simple file sharing, what would cause a non domain computer to respond with the proper ntlm hash

correctdomainname\administrator

or Kerberos

administrato@correctdomainname.
To be authenticated as a Domain Admin

if you go into AD mmc and look at administrator you will see it is a member of domain admins.

I don’t think anyone is denying an Administrator account exists on the domain or that it is a member of the Domain Admins group.

The question is would or could you. On a computer not belonging to that domain get authenticated to a shared folder, as that Domain Administrator, just because your local computer Administrator account has the same password as the domain Administrator account.
And the answer is NO
A non domain computer would not be responding with the correct user account info to satisfy a Domain login authentication challenge.

The only sticky part here is that this computer used to belong to this domain. There may be some unusual cached ID info. Or the computed didn’t get removed from the domain at all.

try it and see, if you wanted to connect, for example, a windows 98 machine to an NT network, you'd open a share on the server/XP host, and set the credentials on the 98 box to *BAD IDEA ALERT* the administrator */BAD IDEA ALERT* of the host machine, no credentials on the 98 box apart from that, network name might help, at least that's how I remember it ...

I use a local user account from non-domain workstations that matches my domain user account name and password, and have no problems using any network file resources from any domain machines. If you have a domain user 'Administrator', and a local user 'Administrator' on a non-domain computer, and the passwords match, domain file resources should be available to the non-domain admin user.

oh, the non-domain computer needs to be in a workgroup named the same as the domain name.

I don't know about other than file resources, other programs may not authenticate without the domain name part of the username.

I agree Doug, and I also use a local user account from non-domain workstations that matches my domain user account name and password, and I too have no problems using any network file resources from any domain machines. But these are open file and folder resources. As soon as I try to access a non public share I get prompted for a user name password, as I would expect. As I stated in my original post to the OP getting access to a public file or folder doamin resource is not the same as being authenticated and being granted the access token for the "DOMAIN Admin account".
You are logged in as a guest to an open or public file or folder resource.

This is all moot anyway since the OP seems to no longer be participating in this thread.

Try adding a account that doesnt match a domain account, to your non domin computer and see if you can access the same resources. You should ba able to.

Guys, I have been playing with this issue for awhile. Here is the accurate description of the problem:
when you try to access your domain servers/computers using matching user name and password, domain name/membership makes no difference. It doesn't work only on domain controllers, all other servers/commputers are fully accessible, despite the logical assumption that user name, requesting access should include domain name as well. But in reality it doesn't.
In another words:
1) you have domain MYCOMPANY;
2) you have server MYFILESERVER, which is a member of MYCOMPANY domain;
3) MYFILESERVER has a local account ADMINISTRATOR with password "itadmin";
4) you have Windows 7 computer MYPC without domain membership;
5) MYPC has a local account ADMINISTRATOR with password "itadmin";
6) From here on you can access ANY resource on MYFILESERVER with full access, simply because you have matching user name and password. Technically Windows should let you in only if you are connecting as MYCOMPANY\ADMINISTRATOR or MYFILESERVER\ADMINISTRATOR, but in reality it allows you in with ADMINISTRATOR, MYPC\ADMINISTRATOR or ANYTHING\ADMINISTRATOR. And yes, administrative share \\MYFILESSERVER\C$ is accessible this way with full control, because you are connected to that server as local admin!
Apparently this is security breach on Microsoft's end. Maybe this is why Microsoft keeps local Administrator's account disabled in Windows 7 by default.

If you connect to a domain resource it is going to assume when you put in administrator, it is referring to the domain it's on so it assume <domainname>\administrator and not the local computer's administrator account.