I did get answer on this from someone else. I thought I'd pass this on in case it would help someone else. "You are right about the trust problem. Every 7 days (with a 7 day offset so up to 14 days) the device and the domain exchange a new "secret". The domain typically stores the current secret and the last secret, so you can be off of the wire anywhere from 14 - 28 days. If these things are going to be off-line for any amount of time, the best thing to do is make them members of a workgroup. Once they come up, provided that AD is not hosed, they can just re-join. Then again if AD is hosed, having a workstation won't matter since you won't be able to authenticate anywhere. You may consider using Windows 98 or Me. They are never true members of a domain, so they don't have the same problems. However, they can still be configured to logon to the domain at boot. This secret limitation also exists between NT devices and NT 4 domains. We don't see this as much, because in the NT 4 days, non NT kernel devices were much more prevalent (Windows 9x)." -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, September 14, 2001 9:47 AM To: NT System Admin Issues Subject: Cold storage of Windows 2000 AD PCs We are finishing up some BCP work started earlier this year by building 20-25 Windows 2000 PCs and putting them in storage at an off-site facility. Question: before unplugging them from the network, should we remove them from the AD domain? My concern is with the AD computer accounts. If the PC doesn't see AD for many weeks/months, will it be a royal mess because the computer account will have been inactive so long? Tom Kustner Wells Fargo Retirement Plan Services Any opinions are strictly my own and not necessarily those of Wells Fargo. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm