Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » XP Machine Account Password Changes
XP Machine Account Password Changes [message #290996] Mon, 19 October 2009 14:41 Go to next message
insane_drummer  is currently offline insane_drummer  United States
Messages: 6
Registered: October 2009
Junior Member
We have several hundred windows XP clients that are used in Lab and
Classroom settings. These machines are protected by Compguard
Cornerstone (a drive protection software). Within the last 6 months
almost all of these machines began falling off the domain every 30 days.
I did some reading and the drive protection software manufacturer
recommends disabling Machine Account Password changes since the
protection software would revert the machine to it's old password after
a reboot - post password change.

After reading up on the Machine Account Password GPO settings, I placed
a GPO in the OU in Active Directory which contains our protected
machines. I adjusted the value of "Disable Machine Account Password
Changes" to 'Enable' which should prevent the machine from future
changes.

I logged into a number of these machines and the GPO was indeed being
applied; however, yet again after 30 days, all the machines start to
fall of the domain!
Am I missing something? Is there another step that I need to take to
get these machines to stop changing there account passwords?

Any help would be much appreciated!!


--
insane_drummer
------------------------------------------------------------ ------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260379.htm

http://forums.techarena.in
Re: XP Machine Account Password Changes [message #291241 is a reply to message #290996] Mon, 19 October 2009 20:15 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"insane_drummer" <insane_drummer.40bobe@DoNotSpam.com> wrote in message
news:insane_drummer.40bobe@DoNotSpam.com...
>
> We have several hundred windows XP clients that are used in Lab and
> Classroom settings. These machines are protected by Compguard
> Cornerstone (a drive protection software). Within the last 6 months
> almost all of these machines began falling off the domain every 30 days.
> I did some reading and the drive protection software manufacturer
> recommends disabling Machine Account Password changes since the
> protection software would revert the machine to it's old password after
> a reboot - post password change.
>
> After reading up on the Machine Account Password GPO settings, I placed
> a GPO in the OU in Active Directory which contains our protected
> machines. I adjusted the value of "Disable Machine Account Password
> Changes" to 'Enable' which should prevent the machine from future
> changes.
>
> I logged into a number of these machines and the GPO was indeed being
> applied; however, yet again after 30 days, all the machines start to
> fall of the domain!
> Am I missing something? Is there another step that I need to take to
> get these machines to stop changing there account passwords?
>
> Any help would be much appreciated!!
>

I wonder if the GPO is not being applied to the local computers. Check in
Control Panel, Administrative Tools, Local Security Policy, Security
Options. You should see the same policy setting, plus the maximum password
age. If it is disabled, then perhaps the GPO is blocked. You could also
experiment by setting the max password age to a few days temporarily on a
machine.

I assume you are aware that it is not recommended that you enable this
policy.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: XP Machine Account Password Changes [message #291371 is a reply to message #290996] Mon, 19 October 2009 23:55 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello insane_drummer,

I agree with Richard about disabling that setting. On the computer logged
in as a user run rsop.msc or gpresult /v and check if the GPO is applied
and listed correct.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have several hundred windows XP clients that are used in Lab and
> Classroom settings. These machines are protected by Compguard
> Cornerstone (a drive protection software). Within the last 6 months
> almost all of these machines began falling off the domain every 30
> days. I did some reading and the drive protection software
> manufacturer recommends disabling Machine Account Password changes
> since the protection software would revert the machine to it's old
> password after a reboot - post password change.
>
> After reading up on the Machine Account Password GPO settings, I
> placed a GPO in the OU in Active Directory which contains our
> protected machines. I adjusted the value of "Disable Machine Account
> Password Changes" to 'Enable' which should prevent the machine from
> future changes.
>
> I logged into a number of these machines and the GPO was indeed being
> applied; however, yet again after 30 days, all the machines start to
> fall of the domain!
> Am I missing something? Is there another step that I need to take to
> get these machines to stop changing there account passwords?
> Any help would be much appreciated!!
>
> http://forums.techarena.in
>
Re: XP Machine Account Password Changes [message #291718 is a reply to message #291371] Tue, 20 October 2009 07:53 Go to previous messageGo to next message
insane_drummer  is currently offline insane_drummer  United States
Messages: 6
Registered: October 2009
Junior Member
I came in this morning and more of our computers had dropped off the
domain. No one is able to log in because it says the DC or Domain is not
available.

After logging in as Administrator, I look at rsop.msc to see a red "X"
over computer configuration:

[image:
http://02hdwq.blu.livefilestore.com/y1prdacnZOPAAvfDGxNAdadc wv1yCTA-8q2dP9oJCMI1_ICMZhHC1XTJ8VLgNgMvEWQCrCEXeJp6WoLt5EKi KqBsB7b8b0Sv6n9/computer_config.jpg]

Drilling down through the list of policies I did not find anymore red
"X"s, but the policy which I set up appears to not be applied:

[image:
http://02hdwq.blu.livefilestore.com/y1pMTlQcD9GJq8Gu1FFu_KnS M2fDeQoD8ZRLdev-3p1vXPdOvK6NcbU_a7KM7jEXY2DzW1YcGSiPSqLb2A2Y FKPo88IVbZ1hMYJ/machine_account_pw.jpg]

Once I rejoined the machine to the Domain, I was able to log in under a
domain user account. The rsop.msc looked like this:

[image:
http://02hdwq.blu.livefilestore.com/y1pdEDWpwQwwz3onfmiqlzhH HtEMwK6icrXgRuHrU2GH6gX_VhgiO9UWDWl0khasbIk-DFoRZroY343VtCK- hBFyFiHInzX7CPF/comp_config_error.jpg]

The GPO for machine accounts is once again set correctly and it shows
my GPO as the Source:

[image:
http://02hdwq.blu.livefilestore.com/y1phnYrBuiqHFukS0wix-kE4 F9rk4GpAfRRANUW4_fPk2oTWoNPWUH_da4LERdZLQtaNu3Boe7bQCae9yscL 1tEvfOnhaM9FlLy/policy_set.jpg]

Thoughts?


--
insane_drummer
------------------------------------------------------------ ------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm

http://forums.techarena.in
Re: XP Machine Account Password Changes [message #291785 is a reply to message #291718] Tue, 20 October 2009 09:07 Go to previous messageGo to next message
insane_drummer  is currently offline insane_drummer  United States
Messages: 6
Registered: October 2009
Junior Member
Another update. I set up a test machine here in the office and put our
protection software on it along with netdom.exe to try and force a
password reset.

I checked the local policy and it was set to NOT allow password
resets.
When I ran netdom to reset the password, it returned the error that the
password could not be reset; however, I then rebooted the computer and
was then no longer able to log in.

It's almost as if the policy is not keeping the passwords from being
reset...


--
insane_drummer
------------------------------------------------------------ ------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm

http://forums.techarena.in
Re: XP Machine Account Password Changes [message #291786 is a reply to message #291718] Tue, 20 October 2009 09:23 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"insane_drummer" <insane_drummer.40czjb@DoNotSpam.com> wrote in message
news:insane_drummer.40czjb@DoNotSpam.com...
>
> I came in this morning and more of our computers had dropped off the
> domain. No one is able to log in because it says the DC or Domain is not
> available.
>
> After logging in as Administrator, I look at rsop.msc to see a red "X"
> over computer configuration:
>
> [image:
> http://02hdwq.blu.livefilestore.com/y1prdacnZOPAAvfDGxNAdadc wv1yCTA-8q2dP9oJCMI1_ICMZhHC1XTJ8VLgNgMvEWQCrCEXeJp6WoLt5EKi KqBsB7b8b0Sv6n9/computer_config.jpg]
>
> Drilling down through the list of policies I did not find anymore red
> "X"s, but the policy which I set up appears to not be applied:
>
> [image:
> http://02hdwq.blu.livefilestore.com/y1pMTlQcD9GJq8Gu1FFu_KnS M2fDeQoD8ZRLdev-3p1vXPdOvK6NcbU_a7KM7jEXY2DzW1YcGSiPSqLb2A2Y FKPo88IVbZ1hMYJ/machine_account_pw.jpg]
>
> Once I rejoined the machine to the Domain, I was able to log in under a
> domain user account. The rsop.msc looked like this:
>
> [image:
> http://02hdwq.blu.livefilestore.com/y1pdEDWpwQwwz3onfmiqlzhH HtEMwK6icrXgRuHrU2GH6gX_VhgiO9UWDWl0khasbIk-DFoRZroY343VtCK- hBFyFiHInzX7CPF/comp_config_error.jpg]
>
> The GPO for machine accounts is once again set correctly and it shows
> my GPO as the Source:
>
> [image:
> http://02hdwq.blu.livefilestore.com/y1phnYrBuiqHFukS0wix-kE4 F9rk4GpAfRRANUW4_fPk2oTWoNPWUH_da4LERdZLQtaNu3Boe7bQCae9yscL 1tEvfOnhaM9FlLy/policy_set.jpg]
>
> Thoughts?
>
>
> --
> insane_drummer

At this point, it would appear that the best course of action is to contact
the makers of Compguard Cornerstone. As Richard said, it may appear, even
though an rsop and gpresults show the policy is being retrieved or applied,
the security app may be preventing it from actually applying.

I also agree with Richard that this setting is really not advised due to
security reasons. Kind of a catch-22 that you are using a drive security app
but disabling built-in protection on the AD side.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: XP Machine Account Password Changes [message #291820 is a reply to message #291785] Tue, 20 October 2009 09:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"insane_drummer" <insane_drummer.40d2bb@DoNotSpam.com> wrote in message
news:insane_drummer.40d2bb@DoNotSpam.com...
>
> Another update. I set up a test machine here in the office and put our
> protection software on it along with netdom.exe to try and force a
> password reset.
>
> I checked the local policy and it was set to NOT allow password
> resets.
> When I ran netdom to reset the password, it returned the error that the
> password could not be reset; however, I then rebooted the computer and
> was then no longer able to log in.
>
> It's almost as if the policy is not keeping the passwords from being
> reset...
>
>
> --
> insane_drummer


Looking into this setting further, and as advised, even the following link
indicates not to enable this setting.

Domain member: Disable machine account password changes:
Security ...Domain member: Disable machine account password changes.
Updated: January 21, 2005
http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx

It could be possible that enabling this on workstations may be working, but
the DCs are expecting the password to still get changed and not accepting
communications once the password expired. For Windows 2000 and later, the
default computer account password change is 30 days. NT4 was every 7 days.

Effects of machine account replication on a domainDomain Member: Disable
machine account password changes (DisablePasswordChange); Domain Member:
Maximum machine account password age (MaximumPasswordAge) ... Also indicates
default machine password expiration time.
http://support.microsoft.com/kb/175468

I believe you'll also need to have the DCs' regsitry setting for the
password changed to be set to enabled for "RefusePasswordChange."

Are you seeing Event ID 5721 on the DCs? Read the following for more info
for the above setting and other information regarding what you're trying to
accomplish. Disregard the OS version. The information still applies.

How to disable automatic machine account password changesOn Microsoft
Windows NT-based computers and on Microsoft Windows 2000-based computers,
machine account passwords are regularly changed for security purposes ...
http://support.microsoft.com/kb/154501

Ace
Re: XP Machine Account Password Changes [message #292333 is a reply to message #291786] Tue, 20 October 2009 09:52 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ua3b7kZUKHA.4484@TK2MSFTNGP02.phx.gbl...
> "insane_drummer" <insane_drummer.40czjb@DoNotSpam.com> wrote in message
> news:insane_drummer.40czjb@DoNotSpam.com...
>>
>> I came in this morning and more of our computers had dropped off the
>> domain. No one is able to log in because it says the DC or Domain is not
>> available.
>>
>> After logging in as Administrator, I look at rsop.msc to see a red "X"
>> over computer configuration:
>>
>> [image:
>> http://02hdwq.blu.livefilestore.com/y1prdacnZOPAAvfDGxNAdadc wv1yCTA-8q2dP9oJCMI1_ICMZhHC1XTJ8VLgNgMvEWQCrCEXeJp6WoLt5EKi KqBsB7b8b0Sv6n9/computer_config.jpg]
>>
>> Drilling down through the list of policies I did not find anymore red
>> "X"s, but the policy which I set up appears to not be applied:
>>
>> [image:
>> http://02hdwq.blu.livefilestore.com/y1pMTlQcD9GJq8Gu1FFu_KnS M2fDeQoD8ZRLdev-3p1vXPdOvK6NcbU_a7KM7jEXY2DzW1YcGSiPSqLb2A2Y FKPo88IVbZ1hMYJ/machine_account_pw.jpg]
>>
>> Once I rejoined the machine to the Domain, I was able to log in under a
>> domain user account. The rsop.msc looked like this:
>>
>> [image:
>> http://02hdwq.blu.livefilestore.com/y1pdEDWpwQwwz3onfmiqlzhH HtEMwK6icrXgRuHrU2GH6gX_VhgiO9UWDWl0khasbIk-DFoRZroY343VtCK- hBFyFiHInzX7CPF/comp_config_error.jpg]
>>
>> The GPO for machine accounts is once again set correctly and it shows
>> my GPO as the Source:
>>
>> [image:
>> http://02hdwq.blu.livefilestore.com/y1phnYrBuiqHFukS0wix-kE4 F9rk4GpAfRRANUW4_fPk2oTWoNPWUH_da4LERdZLQtaNu3Boe7bQCae9yscL 1tEvfOnhaM9FlLy/policy_set.jpg]
>>
>> Thoughts?
>>
>>
>> --
>> insane_drummer
>
> At this point, it would appear that the best course of action is to
> contact the makers of Compguard Cornerstone. As Richard said, it may
> appear, even though an rsop and gpresults show the policy is being
> retrieved or applied, the security app may be preventing it from actually
> applying.
>
> I also agree with Richard that this setting is really not advised due to
> security reasons. Kind of a catch-22 that you are using a drive security
> app but disabling built-in protection on the AD side.
>
>

I agree. It seems as if Compguard Cornerstone restores the old policy on
reboot. That's how it works to prevent alterations by users. Maybe you could
disable Compguard Cornerstone (or turn it off), apply the new policy, then
re-enable it.

I don't find much discussion or documentation on altering the computer
account password expiration policy, but I'm sure the 30 day default maximum
password age was chosen for a reason. The consequences of a compromised
password could be very bad. No matter how complex or long a password, it can
be hacked given enough time. Seems there should be a better solution.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: XP Machine Account Password Changes [message #292476 is a reply to message #292333] Tue, 20 October 2009 20:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:%23WZ2pjdUKHA.2932@TK2MSFTNGP04.phx.gbl...
>
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:ua3b7kZUKHA.4484@TK2MSFTNGP02.phx.gbl...
>> "insane_drummer" <insane_drummer.40czjb@DoNotSpam.com> wrote in message
>> news:insane_drummer.40czjb@DoNotSpam.com...
>>>
>>> I came in this morning and more of our computers had dropped off the
>>> domain. No one is able to log in because it says the DC or Domain is not
>>> available.
>>>
>>> After logging in as Administrator, I look at rsop.msc to see a red "X"
>>> over computer configuration:
>>>
>>> [image:
>>> http://02hdwq.blu.livefilestore.com/y1prdacnZOPAAvfDGxNAdadc wv1yCTA-8q2dP9oJCMI1_ICMZhHC1XTJ8VLgNgMvEWQCrCEXeJp6WoLt5EKi KqBsB7b8b0Sv6n9/computer_config.jpg]
>>>
>>> Drilling down through the list of policies I did not find anymore red
>>> "X"s, but the policy which I set up appears to not be applied:
>>>
>>> [image:
>>> http://02hdwq.blu.livefilestore.com/y1pMTlQcD9GJq8Gu1FFu_KnS M2fDeQoD8ZRLdev-3p1vXPdOvK6NcbU_a7KM7jEXY2DzW1YcGSiPSqLb2A2Y FKPo88IVbZ1hMYJ/machine_account_pw.jpg]
>>>
>>> Once I rejoined the machine to the Domain, I was able to log in under a
>>> domain user account. The rsop.msc looked like this:
>>>
>>> [image:
>>> http://02hdwq.blu.livefilestore.com/y1pdEDWpwQwwz3onfmiqlzhH HtEMwK6icrXgRuHrU2GH6gX_VhgiO9UWDWl0khasbIk-DFoRZroY343VtCK- hBFyFiHInzX7CPF/comp_config_error.jpg]
>>>
>>> The GPO for machine accounts is once again set correctly and it shows
>>> my GPO as the Source:
>>>
>>> [image:
>>> http://02hdwq.blu.livefilestore.com/y1phnYrBuiqHFukS0wix-kE4 F9rk4GpAfRRANUW4_fPk2oTWoNPWUH_da4LERdZLQtaNu3Boe7bQCae9yscL 1tEvfOnhaM9FlLy/policy_set.jpg]
>>>
>>> Thoughts?
>>>
>>>
>>> --
>>> insane_drummer
>>
>> At this point, it would appear that the best course of action is to
>> contact the makers of Compguard Cornerstone. As Richard said, it may
>> appear, even though an rsop and gpresults show the policy is being
>> retrieved or applied, the security app may be preventing it from actually
>> applying.
>>
>> I also agree with Richard that this setting is really not advised due to
>> security reasons. Kind of a catch-22 that you are using a drive security
>> app but disabling built-in protection on the AD side.
>>
>>
>
> I agree. It seems as if Compguard Cornerstone restores the old policy on
> reboot. That's how it works to prevent alterations by users. Maybe you
> could disable Compguard Cornerstone (or turn it off), apply the new
> policy, then re-enable it.
>
> I don't find much discussion or documentation on altering the computer
> account password expiration policy, but I'm sure the 30 day default
> maximum password age was chosen for a reason. The consequences of a
> compromised password could be very bad. No matter how complex or long a
> password, it can be hacked given enough time. Seems there should be a
> better solution.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>


I couldn't find much discussion-wise with this topic, either. It seems that
most just leave it to default, which I've found works fine. :-)

Ace
Re: XP Machine Account Password Changes [message #293825 is a reply to message #292476] Wed, 21 October 2009 20:09 Go to previous messageGo to next message
insane_drummer  is currently offline insane_drummer  United States
Messages: 6
Registered: October 2009
Junior Member
This makes me think that I have another problem - something perhaps
related to DNS or GPOs not applying correctly.

I started researching other drive protection software packages to see
what their creators had to say about this. Every single one recommends
that you disable the machine account password changes.

Let me clarify that the purpose of our drive protection software is to
maintain an image for classroom/lab purposes. It reverts any changes
made by the multitude of users we see back to the original state. This
has always worked flawlessly for us up until about a year ago.

We began seeing a problem on a remote site of our domain - laptops that
were in a mobile lab with this protection software on them. They would
fall of the domain every 30 days. About the time that we discovered what
the cause was, almost all of the rest of the machines that had this
protection software on them began falling off the domain. We hadn't
experienced this problem in the 4 years we have had this software
implemented, so either something has changed with a microsoft patch, or
perhaps a server-client relationship - I'm really at a loss.

We have decided that, as a site, we are willing to disable the machine
account password changes (and accept the increased security risk) to
reduce man hours related to constantly reimaging and cleaning machines.
Now I just need to figure out WHY these machines keep changing passwords
when the GPO specifically states not to!


--
insane_drummer
------------------------------------------------------------ ------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm

http://forums.techarena.in
Re: XP Machine Account Password Changes [message #293908 is a reply to message #293825] Wed, 21 October 2009 22:50 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"insane_drummer" <insane_drummer.40frjc@DoNotSpam.com> wrote in message
news:insane_drummer.40frjc@DoNotSpam.com...
>
> This makes me think that I have another problem - something perhaps
> related to DNS or GPOs not applying correctly.
>
> I started researching other drive protection software packages to see
> what their creators had to say about this. Every single one recommends
> that you disable the machine account password changes.
>
> Let me clarify that the purpose of our drive protection software is to
> maintain an image for classroom/lab purposes. It reverts any changes
> made by the multitude of users we see back to the original state. This
> has always worked flawlessly for us up until about a year ago.
>
> We began seeing a problem on a remote site of our domain - laptops that
> were in a mobile lab with this protection software on them. They would
> fall of the domain every 30 days. About the time that we discovered what
> the cause was, almost all of the rest of the machines that had this
> protection software on them began falling off the domain. We hadn't
> experienced this problem in the 4 years we have had this software
> implemented, so either something has changed with a microsoft patch, or
> perhaps a server-client relationship - I'm really at a loss.
>
> We have decided that, as a site, we are willing to disable the machine
> account password changes (and accept the increased security risk) to
> reduce man hours related to constantly reimaging and cleaning machines.
> Now I just need to figure out WHY these machines keep changing passwords
> when the GPO specifically states not to!
>
>
> --
> insane_drummer


Imaging? Have you Sysprepped the images?

Ace
Re: XP Machine Account Password Changes [message #294301 is a reply to message #291820] Thu, 22 October 2009 07:31 Go to previous messageGo to next message
insane_drummer  is currently offline insane_drummer  United States
Messages: 6
Registered: October 2009
Junior Member
'Ace Fekay [MCT Wrote:
> ;4658171']"insane_drummer" <insane_drummer.40d2bb@DoNotSpam.com> wrote
> in message
> news:insane_drummer.40d2bb@DoNotSpam.com...[color=blue]
>
> Looking into this setting further, and as advised, even the following
> link
> indicates not to enable this setting.
>
> Domain member: Disable machine account password changes:
> Security ...Domain member: Disable machine account password changes.
> Updated: January 21, 2005
> http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx
>
> It could be possible that enabling this on workstations may be working,
> but
> the DCs are expecting the password to still get changed and not
> accepting
> communications once the password expired. For Windows 2000 and later,
> the
> default computer account password change is 30 days. NT4 was every 7
> days.
>
> Effects of machine account replication on a domainDomain Member:
> Disable
> machine account password changes (DisablePasswordChange); Domain
> Member:
> Maximum machine account password age (MaximumPasswordAge) ... Also
> indicates
> default machine password expiration time.
> http://support.microsoft.com/kb/175468
>
> I believe you'll also need to have the DCs' regsitry setting for the
> password changed to be set to enabled for "RefusePasswordChange."
>
> Are you seeing Event ID 5721 on the DCs? Read the following for more
> info
> for the above setting and other information regarding what you're
> trying to
> accomplish. Disregard the OS version. The information still applies.
>
> How to disable automatic machine account password changesOn Microsoft
> Windows NT-based computers and on Microsoft Windows 2000-based
> computers,
> machine account passwords are regularly changed for security purposes
> ...
> http://support.microsoft.com/kb/154501
>
> Ace

I'm sorry, I didn't see your post before...

According to the microsoft article, disabling the password changes on
the client would be the 1st workaround, and disabling them on the server
would be a second workaround. I'm not seeing anything about them needing
to both be changed, unless you see something I don't. The reason I would
only want to do it on the client side would be to restrict this policy
to only our lab computers, not staff machines.

I am curious; however,

> Imaging? Have you Sysprepped the images?
>
> Ace

Yes, all images are syspreped before deployment. We use Symantec Ghost
Solution Suite to deploy images.

> I agree. It seems as if Compguard Cornerstone restores the old policy
> on
> reboot. That's how it works to prevent alterations by users. Maybe you
> could
> disable Compguard Cornerstone (or turn it off), apply the new policy,
> then
> re-enable it.
>
> I don't find much discussion or documentation on altering the computer
> account password expiration policy, but I'm sure the 30 day default
> maximum
> password age was chosen for a reason. The consequences of a
> compromised
> password could be very bad. No matter how complex or long a password,
> it can
> be hacked given enough time. Seems there should be a better solution.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net

This is an interesting point. At what point are GPOs applied? Is it at
login or at startup? If the gpo isn't applied until log in, this would
definitely allow the machine to see it's password is out of date before
the new policy is applied.


--
insane_drummer
------------------------------------------------------------ ------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm

http://forums.techarena.in
Re: XP Machine Account Password Changes [message #294356 is a reply to message #294301] Thu, 22 October 2009 09:04 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"insane_drummer" <insane_drummer.40govb@DoNotSpam.com> wrote in message
news:insane_drummer.40govb@DoNotSpam.com...
>
> 'Ace Fekay [MCT Wrote:
>> ;4658171']"insane_drummer" <insane_drummer.40d2bb@DoNotSpam.com> wrote
>> in message
>> news:insane_drummer.40d2bb@DoNotSpam.com...[color=blue]
>>
>> Looking into this setting further, and as advised, even the following
>> link
>> indicates not to enable this setting.
>>
>> Domain member: Disable machine account password changes:
>> Security ...Domain member: Disable machine account password changes.
>> Updated: January 21, 2005
>> http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx
>>
>> It could be possible that enabling this on workstations may be working,
>> but
>> the DCs are expecting the password to still get changed and not
>> accepting
>> communications once the password expired. For Windows 2000 and later,
>> the
>> default computer account password change is 30 days. NT4 was every 7
>> days.
>>
>> Effects of machine account replication on a domainDomain Member:
>> Disable
>> machine account password changes (DisablePasswordChange); Domain
>> Member:
>> Maximum machine account password age (MaximumPasswordAge) ... Also
>> indicates
>> default machine password expiration time.
>> http://support.microsoft.com/kb/175468
>>
>> I believe you'll also need to have the DCs' regsitry setting for the
>> password changed to be set to enabled for "RefusePasswordChange."
>>
>> Are you seeing Event ID 5721 on the DCs? Read the following for more
>> info
>> for the above setting and other information regarding what you're
>> trying to
>> accomplish. Disregard the OS version. The information still applies.
>>
>> How to disable automatic machine account password changesOn Microsoft
>> Windows NT-based computers and on Microsoft Windows 2000-based
>> computers,
>> machine account passwords are regularly changed for security purposes
>> ...
>> http://support.microsoft.com/kb/154501
>>
>> Ace
>
> I'm sorry, I didn't see your post before...
>
> According to the microsoft article, disabling the password changes on
> the client would be the 1st workaround, and disabling them on the server
> would be a second workaround. I'm not seeing anything about them needing
> to both be changed, unless you see something I don't. The reason I would
> only want to do it on the client side would be to restrict this policy
> to only our lab computers, not staff machines.
>
> I am curious; however,
>
>> Imaging? Have you Sysprepped the images?
>>
>> Ace
>
> Yes, all images are syspreped before deployment. We use Symantec Ghost
> Solution Suite to deploy images.
>
>> I agree. It seems as if Compguard Cornerstone restores the old policy
>> on
>> reboot. That's how it works to prevent alterations by users. Maybe you
>> could
>> disable Compguard Cornerstone (or turn it off), apply the new policy,
>> then
>> re-enable it.
>>
>> I don't find much discussion or documentation on altering the computer
>> account password expiration policy, but I'm sure the 30 day default
>> maximum
>> password age was chosen for a reason. The consequences of a
>> compromised
>> password could be very bad. No matter how complex or long a password,
>> it can
>> be hacked given enough time. Seems there should be a better solution.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>
> This is an interesting point. At what point are GPOs applied? Is it at
> login or at startup? If the gpo isn't applied until log in, this would
> definitely allow the machine to see it's password is out of date before
> the new policy is applied.
>
>
> --
> insane_drummer

I think that it would need to addressed on both the DCs and the client
machines. Have you spoke to the vendor about the issues you've been seeing
and got their recommendations? Since they designed it, I would imagine they
would know a little more about how to get their product to work in an AD
environment.

Ace
Re: XP Machine Account Password Changes [message #294451 is a reply to message #294356] Thu, 22 October 2009 09:25 Go to previous messageGo to next message
insane_drummer  is currently offline insane_drummer  United States
Messages: 6
Registered: October 2009
Junior Member
Yes, as I stated in my initial post:

> I did some reading and the drive protection software manufacturer
> > recommends disabling Machine Account Password changes since the
> > protection software would revert the machine to it's old password
> after
> > a reboot - post password change.


--
insane_drummer
------------------------------------------------------------ ------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm

http://forums.techarena.in
Re: XP Machine Account Password Changes [message #294481 is a reply to message #294451] Thu, 22 October 2009 10:36 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"insane_drummer" <insane_drummer.40gufb@DoNotSpam.com> wrote in message
news:insane_drummer.40gufb@DoNotSpam.com...
>
> Yes, as I stated in my initial post:
>
>> I did some reading and the drive protection software manufacturer
>> > recommends disabling Machine Account Password changes since the
>> > protection software would revert the machine to it's old password
>> after
>> > a reboot - post password change.
>
>
> --
> insane_drummer

Sorry, it wasn't clear if you actually 'spoke' to them and not just read up
on it. Thanks for pointing that out.

Sorry, I don't have any other recommendations or a solution at this time to
resolve this other than what I've already mentioned. If you do find a
resolution, please share it with us. It will help others in a similar
situation.

Ace
Previous Topic:RODC computername typo
Next Topic:Hidden Share
Goto Forum:
  


Current Time: Wed Jan 17 04:11:41 MST 2018

Total time taken to generate the page: 0.06055 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software