Re: Windows XP Computer Object Password Change Process with AD
- From: al <al@xxxxxxxxxxx>
- Date: Fri, 21 Sep 2007 10:15:58 -0700
On Sep 19, 11:07 pm, "Mathieu CHATEAU" <gollum...@xxxxxxx> wrote:
Part of the answer here:http://support.microsoft.com/kb/325850/EN-US/
Each Windows-based computer maintains a machine account password history
that contains the current and previous passwords that are used for the
account. When two computers try to authenticate with each other and a change
to the current password is not yet received, Windows relies on the previous
password. If the sequence of password changes exceeds two changes, the
computers involved may not be able to communicate, and you may receive error
messages. For example, you may receive "Access Denied" error messages when
Active Directory replication occurs.
So you can live for 60 days without connected to the domain
It will change the password as soon as it try to authenticate against AD,
after the 30 days
--
Cordialement,
Mathieu CHATEAUhttp://lordoftheping.blogspot.com
"MSBob69" <MSBo...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0FAC76D5-2976-428E-BF26-950BACEC386B@xxxxxxxxxxxxxxxx
Again we dance!
Let me add more context to my question:
I want to delete workstations that haven't been on my network for 90 days.
I
know I can use the dsquery tool to find these machines but users are
finding
there machines on the pending deletion list and are telling me they use
their
machine all the time. So, why isn't the computer object password getting
updated?
That is why I am trying to get details on HOW machines update their
password
into AD.
Please don't tell me how to use dstools or a vbscript to do this, tell me
the process used to update the password and examples of what will happen
if
it fails.
Again read my original questions!
MSBob69
"MSBob69" wrote:
I am trying to get a better understanding how Windows XP changes it's
password every 30 days with Active Directory. I can't seem to get any
details
on the process.
A computer object's password is 30 days old, what does the computer do?
Does it process the request during boot up?
What happens if it fails, when does it try it again?
What happens when the machine is off the network, like at home?
Does it try to change the password but since it is off the corp network
it
doesn't process the request?
Does it wait another 30 days to try to change the password?
MSBob69- Hide quoted text -
- Show quoted text -
********************************** 9/21
This is the best explanation I found: Upon starting, Netlogon attempts
to discover a DC for the domain in which its machine account exists.
After locating the appropriate DC, the machine account password from
the workstation is authenticated against the password on the DC. After
the machine account is verified, the workstation establishes a secure
channel with that DC. If it is a DC, when you start a PDC, Netlogon
builds a list of all the BDCs in the domain, and a list of trusted
domains. At this time, Netlogon attempts to set up a secure channel
with a DC from each trusted domain, and if this attempt does not
succeed, Netlogon does not make another attempt until a secure channel
with that domain is explicitly needed.
http://blogs.technet.com/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
Take a look at that article. I thought it was a good explanation.
To participate in a domain, computers need a secure channel to a
domain controller. A secure channel is an authenticated connection
that can transmit encrypted data. To set up the secure channel, a
computer must present a password to a domain controller. Similar to
the way in which it authenticates a user account, Active Directory
will use Kerberos authentication to verify the identity of a computer
account. Without the computer object and, by association, the password
stored with it that is changed behind the scenes on a regular basis by
the operating system, there would be no way for the domain controller
to verify a computer is what it claims to be.
http://safari.oreilly.com/059610202X/activedckbk2-CHP-8
The computer's password is stored locally in the form of an LSA secret
and in AD. This password is used by the NetLogon Service to establish
a secure channel w/ the DC. If they become out of sync the computer
will no longer be able to authenticate in the domain. You'll have to
reset the computer's account. So it doesn't look like the computer
keeps trying. From what little I have found, it looks like you'll see
error messages in the event logs. You can either rejoin the domain or
use the netdom reset command to reset the password on both the
computer and in AD. The article also said that w2k and newer systems
automatically change their passwords in the domain.
http://books.google.com/books?id=p-yw7g2R-4kC&pg=RA3-PA318&lpg=RA3-PA318&dq=active+directory+computer+secure+channel&source=web&ots=9ZBSBZrHQk&sig=DI0h0YRxzblsJFgmersE2v_9f10#PRA3-PA320,M1
Again, from what little I've found it sounds like the LSA service
verifies the password when the computer is logging onto the domain
(and authenticating with the DC). It looks like during the
authentication process the computer's password & validity is verified
w/ the DC. So I wouldn't say it occurs on boot up - I would say it
occurs during the Authentication. And every 30 days during this
process, it changes its' password. And if it fails it does not try
again. The password has to be reset and if unsuccessful then you will
have to rejoin the domain. So for a computer that is off the network,
you can try using netdom to reset the password and if that is
unsuccessful you will have to rejoin the domain. That is a bit tricky
when you aren't on the corporate network (at home). I'm not too sure
what happens if your computer is at home and you aren't on the
corporate network?
I hope this helps. I didn't find a lot.
al
.
- References:
- Re: Windows XP Computer Object Password Change Process with AD
- From: Mathieu CHATEAU
- Re: Windows XP Computer Object Password Change Process with AD
- Prev by Date: Re: Aquisition now what?
- Next by Date: Perms to move Computer obj to diff OU
- Previous by thread: Re: Windows XP Computer Object Password Change Process with AD
- Next by thread: Re: Local Admin on workstation
- Index(es):
Relevant Pages
|
