|
| |||||||||
| Tags: active directory, password, windows xp |
Sponsored Links
XP Machine Account Password Changes
Active Directory
 |
| | Thread Tools | Search this Thread |
|
| |||||||||
| Tags: active directory, password, windows xp |
|
| | Thread Tools | Search this Thread |
|
#1
20-10-2009
| |||
| |||
| XP Machine Account Password Changes
duplicate - please delete Last edited by insane_drummer : 20-10-2009 at 02:20 AM.  |
|
#2
20-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
I wonder if the GPO is not being applied to the local computers. Check in Control Panel, Administrative Tools, Local Security Policy, Security Options. You should see the same policy setting, plus the maximum password age. If it is disabled, then perhaps the GPO is blocked. You could also experiment by setting the max password age to a few days temporarily on a machine. I assume you are aware that it is not recommended that you enable this policy. |
|
#3
20-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
I agree with Richard about disabling that setting. On the computer logged in as a user run rsop.msc or gpresult /v and check if the GPO is applied and listed correct. |
|
#4
20-10-2009
| |||
| |||
|
I came in this morning and more of our computers had dropped off the domain. No one is able to log in because it says the DC or Domain is not available. After logging in as Administrator, I look at rsop.msc to see a red "X" over computer configuration: http://02hdwq.blu.livefilestore.com/...ter_config.jpg Drilling down through the list of policies I did not find anymore red "X"s, but the policy which I set up appears to not be applied: http://02hdwq.blu.livefilestore.com/...account_pw.jpg Once I rejoined the machine to the Domain, I was able to log in under a domain user account. The rsop.msc looked like this: http://02hdwq.blu.livefilestore.com/...nfig_error.jpg The GPO for machine accounts is once again set correctly and it shows my GPO as the Source: http://02hdwq.blu.livefilestore.com/...policy_set.jpg *Update* The event viewer on the DC I looked at has numerous errors stating the following: "The session setup from the computer SCI-214-D failed to authenticate. The name(s) of the account(s) referenced in the security database is SCI-214-D$. The following error occurred: Access is denied. " Researching this more indicates the pc did indeed try and renew its Machine Account Password but then failed to connect because the PC reverted back to it's original password due to our protection software. Another update. I set up a test machine here in the office and put our protection software on it along with netdom.exe to try and force a password reset. I checked the local policy and it was set to NOT allow password resets. When I ran netdom to reset the password, it returned the error that the password could not be reset; however, I then rebooted the computer and was then no longer able to log in. It's almost as if the policy is not keeping the passwords from being reset... This makes me think that I have another problem - something perhaps related to DNS or GPOs not applying correctly. I started researching other drive protection software packages to see what their creators had to say about this. Every single one recommends that you disable the machine account password changes. Let me clarify that the purpose of our drive protection software is to maintain an image for classroom/lab purposes. It reverts any changes made by the multitude of users we see back to the original state. This has always worked flawlessly for us up until about a year ago. We began seeing a problem on a remote site of our domain - laptops that were in a mobile lab with this protection software on them. They would fall of the domain every 30 days. About the time that we discovered what the cause was, almost all of the rest of the machines that had this protection software on them began falling off the domain. We hadn't experienced this problem in the 4 years we have had this software implemented, so either something has changed with a microsoft patch, or perhaps a server-client relationship - I'm really at a loss. We have decided that, as a site, we are willing to disable the machine account password changes (and accept the increased security risk) to reduce man hours related to constantly reimaging and cleaning machines. Now I just need to figure out WHY these machines keep changing passwords when the GPO specifically states not to! |
|
#5
20-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
At this point, it would appear that the best course of action is to contact the makers of Compguard Cornerstone. As Richard said, it may appear, even though an rsop and gpresults show the policy is being retrieved or applied, the security app may be preventing it from actually applying. I also agree with Richard that this setting is really not advised due to security reasons. Kind of a catch-22 that you are using a drive security app but disabling built-in protection on the AD side. |
|
#6
20-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
Looking into this setting further, and as advised, even the following link indicates not to enable this setting. Domain member: Disable machine account password changes: Security ...Domain member: Disable machine account password changes. Updated: January 21, 2005 http://technet.microsoft.com/en-us/l...26(WS.10).aspx It could be possible that enabling this on workstations may be working, but the DCs are expecting the password to still get changed and not accepting communications once the password expired. For Windows 2000 and later, the default computer account password change is 30 days. NT4 was every 7 days. Effects of machine account replication on a domainDomain Member: Disable machine account password changes (DisablePasswordChange); Domain Member: Maximum machine account password age (MaximumPasswordAge) ... Also indicates default machine password expiration time. http://support.microsoft.com/kb/175468 I believe you'll also need to have the DCs' regsitry setting for the password changed to be set to enabled for "RefusePasswordChange." Are you seeing Event ID 5721 on the DCs? Read the following for more info for the above setting and other information regarding what you're trying to accomplish. Disregard the OS version. The information still applies. How to disable automatic machine account password changesOn Microsoft Windows NT-based computers and on Microsoft Windows 2000-based computers, machine account passwords are regularly changed for security purposes ... http://support.microsoft.com/kb/154501 |
|
#7
20-10-2009
| |||
| |||
|
I agree. It seems as if Compguard Cornerstone restores the old policy on reboot. That's how it works to prevent alterations by users. Maybe you could disable Compguard Cornerstone (or turn it off), apply the new policy, then re-enable it. I don't find much discussion or documentation on altering the computer account password expiration policy, but I'm sure the 30 day default maximum password age was chosen for a reason. The consequences of a compromised password could be very bad. No matter how complex or long a password, it can be hacked given enough time. Seems there should be a better solution. I couldn't find much discussion-wise with this topic, either. It seems that most just leave it to default, which I've found works fine. :-) Imaging? Have you Sysprepped the images? |
|
#8
22-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes Quote:
According to the microsoft article, disabling the password changes on the client would be the 1st workaround, and disabling them on the server would be a second workaround. I'm not seeing anything about them needing to both be changed, unless you see something I don't. The reason I would only want to do it on the client side would be to restrict this policy to only our lab computers, not staff machines. I am curious; however, Quote:
Quote:
|
|
#9
22-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
I think that it would need to addressed on both the DCs and the client machines. Have you spoke to the vendor about the issues you've been seeing and got their recommendations? Since they designed it, I would imagine they would know a little more about how to get their product to work in an AD environment. |
|
#10
22-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
Yes, as I stated in my initial post: Quote:
|
|
#11
22-10-2009
| |||
| |||
| Re: XP Machine Account Password Changes
Sorry, it wasn't clear if you actually 'spoke' to them and not just read up on it. Thanks for pointing that out. Sorry, I don't have any other recommendations or a solution at this time to resolve this other than what I've already mentioned. If you do find a resolution, please share it with us. It will help others in a similar situation. |
|
|
| Thread Tools | Search this Thread |
| |
Similar Threads for: "XP Machine Account Password Changes" | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| XP Machine Account Password Changes | insane_drummer | Active Directory | 2 | 19-05-2011 01:18 AM |
| Machine account password procedure | Sam P | Active Directory | 3 | 15-01-2010 09:34 AM |
| Changing Machine Account password fails | travelfreak | Active Directory | 4 | 08-12-2009 05:45 PM |
| Machine Account Password Changes - What Triggers Them? How to Vali | Matt | Window 2000 Help | 1 | 26-06-2008 12:20 AM |
| Machine account password control | v2win | Active Directory | 2 | 08-03-2008 04:27 AM |
