Hi,
A related issue that we had arose in our
Training Lab. We image the Workstations then roll them back at the end of the
course. Works great for a month or so, then the workstation changes its
password and then when you reimage it the domain rejects it. You have to
disconnect it from the domain and re add it.
We hassled Microsoft for a long time and finally
got the following info. We have implemented it and the re imaging process has
worked for the last 6 weeks. Let's hope it keeps working.
Has anyone tried this approach with or without
success, and can anyone see any security issues with doing it?
Microsoft Support comment:-
Regardless, the basic answer is that under
normal circumstances, the client
machine is responsible for resetting its own password, and the interval at
which the machine changes its password is configurable through the client
registry, and can be disabled altogether:
175468 Effects of Machine Account Replication on a Domain
http://support.microsoft.com/?id=175468
154501 How to disable automatic machine account password changes
http://support.microsoft.com/?id=154501
So, setting either registry key on the client machines you want to vary the
interval on should allow you to accomplish your objective. If the machines
are Windows 2000 +, this can also be set through Local Security Policy,
using the "Maximum machine account password age" setting (Domain Member:
same text if Windows XP).
machine is responsible for resetting its own password, and the interval at
which the machine changes its password is configurable through the client
registry, and can be disabled altogether:
175468 Effects of Machine Account Replication on a Domain
http://support.microsoft.com/?id=175468
154501 How to disable automatic machine account password changes
http://support.microsoft.com/?id=154501
So, setting either registry key on the client machines you want to vary the
interval on should allow you to accomplish your objective. If the machines
are Windows 2000 +, this can also be set through Local Security Policy,
using the "Maximum machine account password age" setting (Domain Member:
same text if Windows XP).
Alan Cuthbertson
Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml
----- Original Message -----
From: "Depp, Dennis M." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 06, 2004 8:54 PM
Subject: RE: [ActiveDir] Cached Domain Credential
logon expiry for Win2k/XP
does not change its password it will not be able to talk to the domain
when it returns. The default time for this is 90 days.
Denny
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 05, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Cached Domain Credential logon expiry
for Win2k/XP
Our cached logon expert is Rick, he should be along shortly with
info... :o)
I do not believe that there is an expiration. However a simple
test would be to take a test domain and set the password policy to 1 or
2 days and then join a laptop and see what happens if you don't log on
to the domain for 3 or 5 days or whatever.
joe
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, May 05, 2004 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Cached Domain Credential logon expiry for
Win2k/XP
Does anyone know how long cached credentials for domain logons
are valid on Win2K/XP machines? Is there even an expiry date? A
concern was raised by our desktop OS group that cached credentials for
domain logons may expire for laptop users who spend considerable time
away from the office, leaving them unable to access the workstation. In
My life as a road warrior, I never had this happen to me, but I was
never way from a network connection (VPN or otherwise) for more than 2
weeks.
I have been searching for a definitive answer in terms of a KB
article or some other "authoritative source" ( I guess my trust me
response was not authoritative enough), but have been unable to find
one.
David Frost
Directory Engineering,
Messaging, Directories and PKI Engineering Services
Industry Canada
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/