JSI Tip 6537. Active Directory user accounts that end in dollar sign ($) can log on without the dollar sign?

If the user attempts to log on without the trailing $, the attempt is successful?

This behavior is by design and caused by Kerberos (and other authentication packages) retrying when the account is NOT found. When the package retries, it appends a $ to determine if the account is a machine account or a user account, becauseĀ  Windows domains store computer account names with an appended $.

NOTE: An exception to this rule is when both accounts exist, xxxx and xxxx$. In this case the log on only succeeds if the xxxx account is found.

NOTE: There is no rule prohibiting the use a $ in the user name.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish