Re: [ActiveDir] Cached Domain Credential logon expiry for Win2k/XP

[support]

Hi,

 

A related issue that we had arose in our Training Lab. We image the Workstations then roll them back at the end of the course. Works great for a month or so, then the workstation changes its password and then when you reimage it the domain rejects it. You have to disconnect it from the domain and re add it.

 

We hassled Microsoft for a long time and finally got the following info. We have implemented it and the re imaging process has worked for the last 6 weeks. Let's hope it keeps working.

 

Has anyone tried this approach with or without success, and can anyone see any security issues with doing it?

 

Microsoft Support comment:-

Regardless, the basic answer is that under normal circumstances, the client
machine is responsible for resetting its own password, and the interval at
which the machine changes its password is configurable through the client
registry, and can be disabled altogether:


175468 Effects of Machine Account Replication on a Domain
http://support.microsoft.com/?id=175468


154501 How to disable automatic machine account password changes
http://support.microsoft.com/?id=154501


So, setting either registry key on the client machines you want to vary the
interval on should allow you to accomplish your objective. If the machines
are Windows 2000 +, this can also be set through Local Security Policy,
using the "Maximum machine account password age" setting (Domain Member:
same text if Windows XP).

 

Alan Cuthbertson

 

Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml

ADM Template Editor:-  http://www.sysprosoft.com/adm_summary.shtml

 

  

 

 

----- Original Message -----

From: "Depp, Dennis M." <[EMAIL PROTECTED]>

To: <[EMAIL PROTECTED]>

Sent: Thursday, May 06, 2004 8:54 PM

Subject: RE: [ActiveDir] Cached Domain Credential logon expiry for Win2k/XP

There is not a time limit for cached credentials, but if the machine
does not change its password it will not be able to talk to the domain
when it returns.  The default time for this is 90 days.
 
Denny


________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 05, 2004 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Cached Domain Credential logon expiry
for Win2k/XP


Our cached logon expert is Rick, he should be along shortly with
info... :o)

I do not believe that there is an expiration. However a simple
test would be to take a test domain and set the password policy to 1 or
2 days and then join a laptop and see what happens if you don't log on
to the domain for 3 or  5 days or whatever.

   joe

________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, May 05, 2004 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Cached Domain Credential logon expiry for
Win2k/XP



Does anyone know how long cached credentials for domain logons
are valid on Win2K/XP machines?  Is there even an expiry date?  A
concern was raised by our desktop OS group that cached credentials for
domain logons may expire for laptop users who spend considerable time
away from the office, leaving them unable to access the workstation.  In
My life as a road warrior, I never had this happen to me, but I was
never way from a network connection (VPN or otherwise) for more than 2
weeks.

I have been searching for a definitive answer in terms of a KB
article or some other "authoritative source" ( I guess my trust me
response was not authoritative enough), but have been unable to find
one.



David Frost
Directory Engineering,
Messaging, Directories and PKI Engineering Services
Industry Canada


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/