2010
01.28

Preventing computer password expiry

Category: Uncategorized / Tag:  / Add Comment

If you work with non-persistent virtual machines on Windows domains, you will be familiar with your machines being disconnected from the domain every 30 days.When you try to log in, you get a message saying:-

“The trust relationship between this workstation and the primary domain failed.”

The problem is detailed in this KB Article. What happens is that every 30 days (by default) the client initiates a computer password change on the domain controller. This computer password is used to authenticate the computer as the computer object in AD, and is distinct from the user’s password. When the non-persistent machine resets, the passwords go out of synchronization and domain authentication fails.

This can be fixed, as per Microsoft’s KB article, by disabling the client-initiated computer password changes; this can be done using Local or Group Policy, by , or by directly editing the registry.

Using local, or group policy

Set the key shown below to Disabled

Using REGEDIT

Set the below value to 1

Using Windows shell 

 :: Set registry key to disable computer password expiry
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v DisablePasswordChange /t REG_DWORD /d 1 /f

If you’ve got access to the Domain Controller, you can also set a GPO so that Domain Controller: Refuse Machine Password Changes is Enabled. This is in Windows Settings à Securiy Settings à Local Policies à Security Options (the same location as the Domain Member: Disable Machine Account Password Changes).

Also, if you need to rejoin machines that have already fallen off the domain, you can miss the reboot after removing it from the domain, so:

  1. Shut the machine down
  2. Make the drives Persistent
  3. Start the machine and log in
  4. Remove the machine from the domain
  5. Add the machine to the domain
  6. Reboot
  7. Shut-down and make Non-Peristent

Skipping the middle reboot saves a couple of minutes (which adds up if you have a lot to do). The above processes can also be scripted through the use of with Invoke-VMCommand and either NETDOM (for XP/Vista) or for Windows 7.

No Comment.

Add Your Comment

Your Comment