M
Miha
Hi
In our company we have Win2003 DC Enterprise Server and WinXP Pro Clients.
Due to the policy, we installed 'radix' cards into public PC, so that system
is automatically restored into previous state when computers are restarted.
Everything worked OK, but after 30 days, users coulnd't log into the domain,
saying that domain is not available, and the only way was to re-join
computers to a new domain (put them to workgroup, and then back to domain.)
Looking what could casue this, we found that actually DC after 30 days
changes some SID of computer (macine account) and because of this when
computer was restored back to 'basic' settings this problem appeard.
So I created a domain policy for this computers and under
- Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options and set option under 'Domain Members: Disable
machine account password changes to ENABLED.
When I checked local policy settings at client computers, I noticed that
this setting was set to ENABLED, but setting under 'Domain Member: Maximum
machine account password age' was set to 30 days. I checked this at my
domain policy, and noticed that I can only set this to 999 days, but as I
see, if the previous setting was set to ENABLED, this setting doesn't apply,
or am I wrong?
I just want to be certain, that this will solve our problem, so that we
don't have to re-join computers to a domain after another 30 days
Thank you all in advance for help
Best regards
Miha
In our company we have Win2003 DC Enterprise Server and WinXP Pro Clients.
Due to the policy, we installed 'radix' cards into public PC, so that system
is automatically restored into previous state when computers are restarted.
Everything worked OK, but after 30 days, users coulnd't log into the domain,
saying that domain is not available, and the only way was to re-join
computers to a new domain (put them to workgroup, and then back to domain.)
Looking what could casue this, we found that actually DC after 30 days
changes some SID of computer (macine account) and because of this when
computer was restored back to 'basic' settings this problem appeard.
So I created a domain policy for this computers and under
- Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options and set option under 'Domain Members: Disable
machine account password changes to ENABLED.
When I checked local policy settings at client computers, I noticed that
this setting was set to ENABLED, but setting under 'Domain Member: Maximum
machine account password age' was set to 30 days. I checked this at my
domain policy, and noticed that I can only set this to 999 days, but as I
see, if the previous setting was set to ENABLED, this setting doesn't apply,
or am I wrong?
I just want to be certain, that this will solve our problem, so that we
don't have to re-join computers to a domain after another 30 days
Thank you all in advance for help
Best regards
Miha