I have a small network (~30 PC's) set up as a domain (Windows Server 2003 R2,
SP2).

Yesterday, a user attempted to logon and rec'd an error msg about a trust
issue between the workstation and domain. I pulled the PC off the domain and
re-joined it. That fixed the problem.

My question is, What would cause this problem?

Some info:
- He's the only one on the network with a Laptop running Vista 64-bit (what
can I say, he's the director and does things, then asks questions).
- He had taken the laptop home the night before, and said it worked fine
(but, heck, I don't know what he did and he probably didn't tell me
everything!)

Thanks for any thoughts . . .

Rich

"Rich" <Rich@discussions.microsoft.com> wrote in message
news:995C0772-1DDC-453B-8C29-5BBF3670A319@microsoft.com...

Quote:

I have a small network (~30 PC's) set up as a domain (Windows Server 2003 R2, SP2). Yesterday, a user attempted to logon and rec'd an error msg about a trust issue between the workstation and domain. I pulled the PC off the domain and re-joined it. That fixed the problem. My question is, What would cause this problem? Some info: - He's the only one on the network with a Laptop running Vista 64-bit (what can I say, he's the director and does things, then asks questions). - He had taken the laptop home the night before, and said it worked fine (but, heck, I don't know what he did and he probably didn't tell me everything!) Thanks for any thoughts . . . Rich

Well, that's difficult to diagnose if you don't know, and he's not telling
you. If he has local admin rights, he could have installed some sort of
security software or something else that could have caused it.

Ace

Hi Rich,

Domain member computers occasionaly change domain password. This can be
disabled thru group policy. The behaviour you observed is typical when
password between member computer and domain controller gets out of sync. The
only solution is to unjoin and join again a domain. Before unjoin/join, you
may wish to reset computer account in Active Directory Users and Computers
(ADUC), but I didn't see practical benefits of this extra step.

"Rich" <Rich@discussions.microsoft.com> wrote in message
news:995C0772-1DDC-453B-8C29-5BBF3670A319@microsoft.com...

Quote:

I have a small network (~30 PC's) set up as a domain (Windows Server 2003 R2, SP2). Yesterday, a user attempted to logon and rec'd an error msg about a trust issue between the workstation and domain. I pulled the PC off the domain and re-joined it. That fixed the problem. My question is, What would cause this problem? Some info: - He's the only one on the network with a Laptop running Vista 64-bit (what can I say, he's the director and does things, then asks questions). - He had taken the laptop home the night before, and said it worked fine (but, heck, I don't know what he did and he probably didn't tell me everything!) Thanks for any thoughts . . . Rich

"Dusko Savatovic" <savatovic@nospam.gmail.com> wrote in message
news:eLFvlFvUKHA.5208@TK2MSFTNGP05.phx.gbl...

Quote:

Hi Rich, Domain member computers occasionaly change domain password. This can be disabled thru group policy. The behaviour you observed is typical when password between member computer and domain controller gets out of sync. The only solution is to unjoin and join again a domain. Before unjoin/join, you may wish to reset computer account in Active Directory Users and Computers (ADUC), but I didn't see practical benefits of this extra step.

Dusko,

Disabling machine account password changes (default every 30 days with AD
2003 & 2008) can be done, and may possibly alleviate this issue, but
security-wise it's not really recommended, especially I would think if it's
just the boss doing something on his machine.

If interested, for more info on this setting, there was an in-depth
discussion on machine account password change settings in the AD newsgroup:

From: insane_drummer <insane_drummer.40bobe@DoNotSpam.com>
Subject: XP Machine Account Password Changes
Date: Tue, 20 Oct 2009 02:11:10 +0530
Newsgroups: microsoft.public.windows.server.active_directory

I would be curious as to what the boss is doing on his machine causing this.
Maybe he has some sort of password saving software that may also be
prompting him about the machine account password that he's not sure how to
respond to? I mean, I don't know if those password apps do that or not, but
it's just a thought.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Sure Ace,

The defaults are set with a reason and there's no reason to depart from the
well threaded path.
I was thinking about this issue. If the boss was doing something, he was
probably experimenting with newsid or sysprep or some similar tool.

Just my 2c.


"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:uI2DvExUKHA.1280@TK2MSFTNGP04.phx.gbl...

Quote:

"Dusko Savatovic" <savatovic@nospam.gmail.com> wrote in message news:eLFvlFvUKHA.5208@TK2MSFTNGP05.phx.gbl... Hi Rich, Domain member computers occasionaly change domain password. This can be disabled thru group policy. The behaviour you observed is typical when password between member computer and domain controller gets out of sync. The only solution is to unjoin and join again a domain. Before unjoin/join, you may wish to reset computer account in Active Directory Users and Computers (ADUC), but I didn't see practical benefits of this extra step. Dusko, Disabling machine account password changes (default every 30 days with AD 2003 & 2008) can be done, and may possibly alleviate this issue, but security-wise it's not really recommended, especially I would think if it's just the boss doing something on his machine. If interested, for more info on this setting, there was an in-depth discussion on machine account password change settings in the AD newsgroup: From: insane_drummer <insane_drummer.40bobe@DoNotSpam.com Subject: XP Machine Account Password Changes Date: Tue, 20 Oct 2009 02:11:10 +0530 Newsgroups: microsoft.public.windows.server.active_directory I would be curious as to what the boss is doing on his machine causing this. Maybe he has some sort of password saving software that may also be prompting him about the machine account password that he's not sure how to respond to? I mean, I don't know if those password apps do that or not, but it's just a thought. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

"Dusko Savatovic" <savatovic@nospam.gmail.com> wrote in message
news:OyXYxX0UKHA.4704@TK2MSFTNGP02.phx.gbl...

Quote:

Sure Ace, The defaults are set with a reason and there's no reason to depart from the well threaded path. I was thinking about this issue. If the boss was doing something, he was probably experimenting with newsid or sysprep or some similar tool. Just my 2c.

Hmm, interesting thought. A good reason to not give someone local admin
rights, but then again, it's difficult when it's a demanding boss.

Or possibly another thought - he may have installed his own
security/firewall app, such as what his home ISP provided for free (Comcast,
AOL, etc) and it locked down the system?

Ace

On Thu, 22 Oct 2009 10:26:45 +0200, "Dusko Savatovic"
<savatovic@nospam.gmail.com> wrote:

Quote:

Hi Rich, Domain member computers occasionaly change domain password. This can be disabled thru group policy. The behaviour you observed is typical when password between member computer and domain controller gets out of sync. The only solution is to unjoin and join again a domain. It is not the "only" solution. NetDom can be used to reset the passwords or

easier is to reset the account from the PC. For XP this is simply opening System
Properties/Computer Name tab and using the "Network ID" button not the "Change"
button. This wizard will find the existing computer account and allow you to use
it. All group memberships and other setting are then kept. Leaving the domain
and rejoining can loose settings such as "Managed Computer" status.

Quote:

Before unjoin/join, you may wish to reset computer account in Active Directory Users and Computers (ADUC), but I didn't see practical benefits of this extra step. "Rich" <Rich@discussions.microsoft.com> wrote in message news:995C0772-1DDC-453B-8C29-5BBF3670A319@microsoft.com... I have a small network (~30 PC's) set up as a domain (Windows Server 2003 R2, SP2). Yesterday, a user attempted to logon and rec'd an error msg about a trust issue between the workstation and domain. I pulled the PC off the domain and re-joined it. That fixed the problem. My question is, What would cause this problem? Some info: - He's the only one on the network with a Laptop running Vista 64-bit (what can I say, he's the director and does things, then asks questions). - He had taken the laptop home the night before, and said it worked fine (but, heck, I don't know what he did and he probably didn't tell me everything!) Thanks for any thoughts . . . Rich --

Dave Mills
There are 10 types of people, those that understand binary and those that don't.