| View previous topic :: View next topic
|
| Author |
Message |
insane_drummer
Guest
|
 Posted: Mon Oct 19, 2009 6:53 pm Post subject: XP Machine Account Password Changes |
 |
|
We have several hundred windows XP clients that are used in Lab and
Classroom settings. These machines are protected by Compguard
Cornerstone (a drive protection software). Within the last 6 months
almost all of these machines began falling off the domain every 30 days.
I did some reading and the drive protection software manufacturer
recommends disabling Machine Account Password changes since the
protection software would revert the machine to it's old password after
a reboot - post password change.
After reading up on the Machine Account Password GPO settings, I placed
a GPO in the OU in Active Directory which contains our protected
machines. I adjusted the value of "Disable Machine Account Password
Changes" to 'Enable' which should prevent the machine from future
changes.
I logged into a number of these machines and the GPO was indeed being
applied; however, yet again after 30 days, all the machines start to
fall of the domain!
Am I missing something? Is there another step that I need to take to
get these machines to stop changing there account passwords?
Any help would be much appreciated!!
--
insane_drummer
------------------------------------------------------------------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260379.htm
http://forums.techarena.in
|
|
| Back to top |
|
 |
Richard Mueller [MVP]
Guest
|
| Posted: Tue Oct 20, 2009 12:15 am Post subject: Re: XP Machine Account Password Changes |
|
|
"insane_drummer" <insane_drummer.40bobe@DoNotSpam.com> wrote in message
news:insane_drummer.40bobe@DoNotSpam.com...
| Quote: |
We have several hundred windows XP clients that are used in Lab and
Classroom settings. These machines are protected by Compguard
Cornerstone (a drive protection software). Within the last 6 months
almost all of these machines began falling off the domain every 30 days.
I did some reading and the drive protection software manufacturer
recommends disabling Machine Account Password changes since the
protection software would revert the machine to it's old password after
a reboot - post password change.
After reading up on the Machine Account Password GPO settings, I placed
a GPO in the OU in Active Directory which contains our protected
machines. I adjusted the value of "Disable Machine Account Password
Changes" to 'Enable' which should prevent the machine from future
changes.
I logged into a number of these machines and the GPO was indeed being
applied; however, yet again after 30 days, all the machines start to
fall of the domain!
Am I missing something? Is there another step that I need to take to
get these machines to stop changing there account passwords?
Any help would be much appreciated!!
|
I wonder if the GPO is not being applied to the local computers. Check in
Control Panel, Administrative Tools, Local Security Policy, Security
Options. You should see the same policy setting, plus the maximum password
age. If it is disabled, then perhaps the GPO is blocked. You could also
experiment by setting the max password age to a few days temporarily on a
machine.
I assume you are aware that it is not recommended that you enable this
policy.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
|
|
| Back to top |
|
|
Meinolf Weber [MVP-DS]
Guest
|
| Posted: Tue Oct 20, 2009 5:55 am Post subject: Re: XP Machine Account Password Changes |
|
|
Hello insane_drummer,
I agree with Richard about disabling that setting. On the computer logged
in as a user run rsop.msc or gpresult /v and check if the GPO is applied
and listed correct.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
| Quote: | We have several hundred windows XP clients that are used in Lab and
Classroom settings. These machines are protected by Compguard
Cornerstone (a drive protection software). Within the last 6 months
almost all of these machines began falling off the domain every 30
days. I did some reading and the drive protection software
manufacturer recommends disabling Machine Account Password changes
since the protection software would revert the machine to it's old
password after a reboot - post password change.
After reading up on the Machine Account Password GPO settings, I
placed a GPO in the OU in Active Directory which contains our
protected machines. I adjusted the value of "Disable Machine Account
Password Changes" to 'Enable' which should prevent the machine from
future changes.
I logged into a number of these machines and the GPO was indeed being
applied; however, yet again after 30 days, all the machines start to
fall of the domain!
Am I missing something? Is there another step that I need to take to
get these machines to stop changing there account passwords?
Any help would be much appreciated!!
http://forums.techarena.in
|
|
|
| Back to top |
|
|
insane_drummer
Guest
|
|
| Back to top |
|
|
Guest
Guest
Posts
Location
|
| Posted: Tue Oct 20, 2009 12:05 pm Post subject: Google Ads |
|
|
|
|
|
| Back to top |
|
|
insane_drummer
Guest
|
| Posted: Tue Oct 20, 2009 1:19 pm Post subject: Re: XP Machine Account Password Changes |
|
|
Another update. I set up a test machine here in the office and put our
protection software on it along with netdom.exe to try and force a
password reset.
I checked the local policy and it was set to NOT allow password
resets.
When I ran netdom to reset the password, it returned the error that the
password could not be reset; however, I then rebooted the computer and
was then no longer able to log in.
It's almost as if the policy is not keeping the passwords from being
reset...
--
insane_drummer
------------------------------------------------------------------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm
http://forums.techarena.in
|
|
| Back to top |
|
|
Ace Fekay [MCT]
Guest
|
| Posted: Tue Oct 20, 2009 1:23 pm Post subject: Re: XP Machine Account Password Changes |
|
|
"insane_drummer" <insane_drummer.40czjb@DoNotSpam.com> wrote in message
news:insane_drummer.40czjb@DoNotSpam.com...
At this point, it would appear that the best course of action is to contact
the makers of Compguard Cornerstone. As Richard said, it may appear, even
though an rsop and gpresults show the policy is being retrieved or applied,
the security app may be preventing it from actually applying.
I also agree with Richard that this setting is really not advised due to
security reasons. Kind of a catch-22 that you are using a drive security app
but disabling built-in protection on the AD side.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
|
|
| Back to top |
|
|
Ace Fekay [MCT]
Guest
|
| Posted: Tue Oct 20, 2009 1:40 pm Post subject: Re: XP Machine Account Password Changes |
|
|
"insane_drummer" <insane_drummer.40d2bb@DoNotSpam.com> wrote in message
news:insane_drummer.40d2bb@DoNotSpam.com...
| Quote: |
Another update. I set up a test machine here in the office and put our
protection software on it along with netdom.exe to try and force a
password reset.
I checked the local policy and it was set to NOT allow password
resets.
When I ran netdom to reset the password, it returned the error that the
password could not be reset; however, I then rebooted the computer and
was then no longer able to log in.
It's almost as if the policy is not keeping the passwords from being
reset...
--
insane_drummer
|
Looking into this setting further, and as advised, even the following link
indicates not to enable this setting.
Domain member: Disable machine account password changes:
Security ...Domain member: Disable machine account password changes.
Updated: January 21, 2005
http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx
It could be possible that enabling this on workstations may be working, but
the DCs are expecting the password to still get changed and not accepting
communications once the password expired. For Windows 2000 and later, the
default computer account password change is 30 days. NT4 was every 7 days.
Effects of machine account replication on a domainDomain Member: Disable
machine account password changes (DisablePasswordChange); Domain Member:
Maximum machine account password age (MaximumPasswordAge) ... Also indicates
default machine password expiration time.
http://support.microsoft.com/kb/175468
I believe you'll also need to have the DCs' regsitry setting for the
password changed to be set to enabled for "RefusePasswordChange."
Are you seeing Event ID 5721 on the DCs? Read the following for more info
for the above setting and other information regarding what you're trying to
accomplish. Disregard the OS version. The information still applies.
How to disable automatic machine account password changesOn Microsoft
Windows NT-based computers and on Microsoft Windows 2000-based computers,
machine account passwords are regularly changed for security purposes ...
http://support.microsoft.com/kb/154501
Ace
|
|
| Back to top |
|
|
Richard Mueller [MVP]
Guest
|
| Posted: Tue Oct 20, 2009 1:52 pm Post subject: Re: XP Machine Account Password Changes |
|
|
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ua3b7kZUKHA.4484@TK2MSFTNGP02.phx.gbl...
I agree. It seems as if Compguard Cornerstone restores the old policy on
reboot. That's how it works to prevent alterations by users. Maybe you could
disable Compguard Cornerstone (or turn it off), apply the new policy, then
re-enable it.
I don't find much discussion or documentation on altering the computer
account password expiration policy, but I'm sure the 30 day default maximum
password age was chosen for a reason. The consequences of a compromised
password could be very bad. No matter how complex or long a password, it can
be hacked given enough time. Seems there should be a better solution.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
|
|
| Back to top |
|
|
Ace Fekay [MCT]
Guest
|
| Posted: Wed Oct 21, 2009 12:40 am Post subject: Re: XP Machine Account Password Changes |
|
|
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:%23WZ2pjdUKHA.2932@TK2MSFTNGP04.phx.gbl...
| Quote: |
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ua3b7kZUKHA.4484@TK2MSFTNGP02.phx.gbl...
"insane_drummer" <insane_drummer.40czjb@DoNotSpam.com> wrote in message
news:insane_drummer.40czjb@DoNotSpam.com...
I came in this morning and more of our computers had dropped off the
domain. No one is able to log in because it says the DC or Domain is not
available.
After logging in as Administrator, I look at rsop.msc to see a red "X"
over computer configuration:
[image:
http://02hdwq.blu.livefilestore.com/y1prdacnZOPAAvfDGxNAdadcwv1yCTA-8q2dP9oJCMI1_ICMZhHC1XTJ8VLgNgMvEWQCrCEXeJp6WoLt5EKiKqBsB7b8b0Sv6n9/computer_config.jpg]
Drilling down through the list of policies I did not find anymore red
"X"s, but the policy which I set up appears to not be applied:
[image:
http://02hdwq.blu.livefilestore.com/y1pMTlQcD9GJq8Gu1FFu_KnSM2fDeQoD8ZRLdev-3p1vXPdOvK6NcbU_a7KM7jEXY2DzW1YcGSiPSqLb2A2YFKPo88IVbZ1hMYJ/machine_account_pw.jpg]
Once I rejoined the machine to the Domain, I was able to log in under a
domain user account. The rsop.msc looked like this:
[image:
http://02hdwq.blu.livefilestore.com/y1pdEDWpwQwwz3onfmiqlzhHHtEMwK6icrXgRuHrU2GH6gX_VhgiO9UWDWl0khasbIk-DFoRZroY343VtCK-hBFyFiHInzX7CPF/comp_config_error.jpg]
The GPO for machine accounts is once again set correctly and it shows
my GPO as the Source:
[image:
http://02hdwq.blu.livefilestore.com/y1phnYrBuiqHFukS0wix-kE4F9rk4GpAfRRANUW4_fPk2oTWoNPWUH_da4LERdZLQtaNu3Boe7bQCae9yscL1tEvfOnhaM9FlLy/policy_set.jpg]
Thoughts?
--
insane_drummer
At this point, it would appear that the best course of action is to
contact the makers of Compguard Cornerstone. As Richard said, it may
appear, even though an rsop and gpresults show the policy is being
retrieved or applied, the security app may be preventing it from actually
applying.
I also agree with Richard that this setting is really not advised due to
security reasons. Kind of a catch-22 that you are using a drive security
app but disabling built-in protection on the AD side.
I agree. It seems as if Compguard Cornerstone restores the old policy on
reboot. That's how it works to prevent alterations by users. Maybe you
could disable Compguard Cornerstone (or turn it off), apply the new
policy, then re-enable it.
I don't find much discussion or documentation on altering the computer
account password expiration policy, but I'm sure the 30 day default
maximum password age was chosen for a reason. The consequences of a
compromised password could be very bad. No matter how complex or long a
password, it can be hacked given enough time. Seems there should be a
better solution.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
|
I couldn't find much discussion-wise with this topic, either. It seems that
most just leave it to default, which I've found works fine. :-)
Ace
|
|
| Back to top |
|
|
insane_drummer
Guest
|
| Posted: Thu Oct 22, 2009 12:21 am Post subject: Re: XP Machine Account Password Changes |
|
|
This makes me think that I have another problem - something perhaps
related to DNS or GPOs not applying correctly.
I started researching other drive protection software packages to see
what their creators had to say about this. Every single one recommends
that you disable the machine account password changes.
Let me clarify that the purpose of our drive protection software is to
maintain an image for classroom/lab purposes. It reverts any changes
made by the multitude of users we see back to the original state. This
has always worked flawlessly for us up until about a year ago.
We began seeing a problem on a remote site of our domain - laptops that
were in a mobile lab with this protection software on them. They would
fall of the domain every 30 days. About the time that we discovered what
the cause was, almost all of the rest of the machines that had this
protection software on them began falling off the domain. We hadn't
experienced this problem in the 4 years we have had this software
implemented, so either something has changed with a microsoft patch, or
perhaps a server-client relationship - I'm really at a loss.
We have decided that, as a site, we are willing to disable the machine
account password changes (and accept the increased security risk) to
reduce man hours related to constantly reimaging and cleaning machines.
Now I just need to figure out WHY these machines keep changing passwords
when the GPO specifically states not to!
--
insane_drummer
------------------------------------------------------------------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm
http://forums.techarena.in
|
|
| Back to top |
|
|
Ace Fekay [MCT]
Guest
|
| Posted: Thu Oct 22, 2009 2:50 am Post subject: Re: XP Machine Account Password Changes |
|
|
"insane_drummer" <insane_drummer.40frjc@DoNotSpam.com> wrote in message
news:insane_drummer.40frjc@DoNotSpam.com...
| Quote: |
This makes me think that I have another problem - something perhaps
related to DNS or GPOs not applying correctly.
I started researching other drive protection software packages to see
what their creators had to say about this. Every single one recommends
that you disable the machine account password changes.
Let me clarify that the purpose of our drive protection software is to
maintain an image for classroom/lab purposes. It reverts any changes
made by the multitude of users we see back to the original state. This
has always worked flawlessly for us up until about a year ago.
We began seeing a problem on a remote site of our domain - laptops that
were in a mobile lab with this protection software on them. They would
fall of the domain every 30 days. About the time that we discovered what
the cause was, almost all of the rest of the machines that had this
protection software on them began falling off the domain. We hadn't
experienced this problem in the 4 years we have had this software
implemented, so either something has changed with a microsoft patch, or
perhaps a server-client relationship - I'm really at a loss.
We have decided that, as a site, we are willing to disable the machine
account password changes (and accept the increased security risk) to
reduce man hours related to constantly reimaging and cleaning machines.
Now I just need to figure out WHY these machines keep changing passwords
when the GPO specifically states not to!
--
insane_drummer
|
Imaging? Have you Sysprepped the images?
Ace
|
|
| Back to top |
|
|
insane_drummer
Guest
|
| Posted: Thu Oct 22, 2009 11:43 am Post subject: Re: XP Machine Account Password Changes |
|
|
'Ace Fekay [MCT Wrote:
| Quote: | ;4658171']"insane_drummer" <insane_drummer.40d2bb@DoNotSpam.com> wrote
in message
news:insane_drummer.40d2bb@DoNotSpam.com...[color=blue]
Looking into this setting further, and as advised, even the following
link
indicates not to enable this setting.
Domain member: Disable machine account password changes:
Security ...Domain member: Disable machine account password changes.
Updated: January 21, 2005
http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx
It could be possible that enabling this on workstations may be working,
but
the DCs are expecting the password to still get changed and not
accepting
communications once the password expired. For Windows 2000 and later,
the
default computer account password change is 30 days. NT4 was every 7
days.
Effects of machine account replication on a domainDomain Member:
Disable
machine account password changes (DisablePasswordChange); Domain
Member:
Maximum machine account password age (MaximumPasswordAge) ... Also
indicates
default machine password expiration time.
http://support.microsoft.com/kb/175468
I believe you'll also need to have the DCs' regsitry setting for the
password changed to be set to enabled for "RefusePasswordChange."
Are you seeing Event ID 5721 on the DCs? Read the following for more
info
for the above setting and other information regarding what you're
trying to
accomplish. Disregard the OS version. The information still applies.
How to disable automatic machine account password changesOn Microsoft
Windows NT-based computers and on Microsoft Windows 2000-based
computers,
machine account passwords are regularly changed for security purposes
...
http://support.microsoft.com/kb/154501
Ace
|
I'm sorry, I didn't see your post before...
According to the microsoft article, disabling the password changes on
the client would be the 1st workaround, and disabling them on the server
would be a second workaround. I'm not seeing anything about them needing
to both be changed, unless you see something I don't. The reason I would
only want to do it on the client side would be to restrict this policy
to only our lab computers, not staff machines.
I am curious; however,
| Quote: | Imaging? Have you Sysprepped the images?
Ace
|
Yes, all images are syspreped before deployment. We use Symantec Ghost
Solution Suite to deploy images.
| Quote: | I agree. It seems as if Compguard Cornerstone restores the old policy
on
reboot. That's how it works to prevent alterations by users. Maybe you
could
disable Compguard Cornerstone (or turn it off), apply the new policy,
then
re-enable it.
I don't find much discussion or documentation on altering the computer
account password expiration policy, but I'm sure the 30 day default
maximum
password age was chosen for a reason. The consequences of a
compromised
password could be very bad. No matter how complex or long a password,
it can
be hacked given enough time. Seems there should be a better solution.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
|
This is an interesting point. At what point are GPOs applied? Is it at
login or at startup? If the gpo isn't applied until log in, this would
definitely allow the machine to see it's password is out of date before
the new policy is applied.
--
insane_drummer
------------------------------------------------------------------------
insane_drummer's Profile: http://forums.techarena.in/members/146053.htm
View this thread: http://forums.techarena.in/active-directory/1260380.htm
http://forums.techarena.in
|
|
| Back to top |
|
|
Ace Fekay [MCT]
Guest
|
| Posted: Thu Oct 22, 2009 1:04 pm Post subject: Re: XP Machine Account Password Changes |
|
|
"insane_drummer" <insane_drummer.40govb@DoNotSpam.com> wrote in message
news:insane_drummer.40govb@DoNotSpam.com...
| Quote: |
'Ace Fekay [MCT Wrote:
;4658171']"insane_drummer" <insane_drummer.40d2bb@DoNotSpam.com> wrote
in message
news:insane_drummer.40d2bb@DoNotSpam.com...[color=blue]
Looking into this setting further, and as advised, even the following
link
indicates not to enable this setting.
Domain member: Disable machine account password changes:
Security ...Domain member: Disable machine account password changes.
Updated: January 21, 2005
http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx
It could be possible that enabling this on workstations may be working,
but
the DCs are expecting the password to still get changed and not
accepting
communications once the password expired. For Windows 2000 and later,
the
default computer account password change is 30 days. NT4 was every 7
days.
Effects of machine account replication on a domainDomain Member:
Disable
machine account password changes (DisablePasswordChange); Domain
Member:
Maximum machine account password age (MaximumPasswordAge) ... Also
indicates
default machine password expiration time.
http://support.microsoft.com/kb/175468
I believe you'll also need to have the DCs' regsitry setting for the
password changed to be set to enabled for "RefusePasswordChange."
Are you seeing Event ID 5721 on the DCs? Read the following for more
info
for the above setting and other information regarding what you're
trying to
accomplish. Disregard the OS version. The information still applies.
How to disable automatic machine account password changesOn Microsoft
Windows NT-based computers and on Microsoft Windows 2000-based
computers,
machine account passwords are regularly changed for security purposes
...
http://support.microsoft.com/kb/154501
Ace
I'm sorry, I didn't see your post before...
According to the microsoft article, disabling the password changes on
the client would be the 1st workaround, and disabling them on the server
would be a second workaround. I'm not seeing anything about them needing
to both be changed, unless you see something I don't. The reason I would
only want to do it on the client side would be to restrict this policy
to only our lab computers, not staff machines.
I am curious; however,
Imaging? Have you Sysprepped the images?
Ace
Yes, all images are syspreped before deployment. We use Symantec Ghost
Solution Suite to deploy images.
I agree. It seems as if Compguard Cornerstone restores the old policy
on
reboot. That's how it works to prevent alterations by users. Maybe you
could
disable Compguard Cornerstone (or turn it off), apply the new policy,
then
re-enable it.
I don't find much discussion or documentation on altering the computer
account password expiration policy, but I'm sure the 30 day default
maximum
password age was chosen for a reason. The consequences of a
compromised
password could be very bad. No matter how complex or long a password,
it can
be hacked given enough time. Seems there should be a better solution.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
This is an interesting point. At what point are GPOs applied? Is it at
login or at startup? If the gpo isn't applied until log in, this would
definitely allow the machine to see it's password is out of date before
the new policy is applied.
--
insane_drummer
|
I think that it would need to addressed on both the DCs and the client
machines. Have you spoke to the vendor about the issues you've been seeing
and got their recommendations? Since they designed it, I would imagine they
would know a little more about how to get their product to work in an AD
environment.
Ace
|
|
| Back to top |
|
|
insane_drummer
Guest
|
|
| Back to top |
|
|
Ace Fekay [MCT]
Guest
|
| Posted: Thu Oct 22, 2009 2:36 pm Post subject: Re: XP Machine Account Password Changes |
|
|
"insane_drummer" <insane_drummer.40gufb@DoNotSpam.com> wrote in message
news:insane_drummer.40gufb@DoNotSpam.com...
| Quote: |
Yes, as I stated in my initial post:
I did some reading and the drive protection software manufacturer
recommends disabling Machine Account Password changes since the
protection software would revert the machine to it's old password
after
a reboot - post password change.
--
insane_drummer
|
Sorry, it wasn't clear if you actually 'spoke' to them and not just read up
on it. Thanks for pointing that out.
Sorry, I don't have any other recommendations or a solution at this time to
resolve this other than what I've already mentioned. If you do find a
resolution, please share it with us. It will help others in a similar
situation.
Ace
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Topic Links: syslog
Powered by phpBB © 2001, 2005 phpBB Group
|
Windows-Expert.com Forum Index
•
FAQ
•
Search
