G
Guest
Resolution Description: Disjoin and rejoin the Computer Account to domain
Work Around / Solution Remark:
For each Windows 2000 or Windows XP workstation or server that is a member
of a domain, there is a discrete communication channel, known as the security
channel, with a domain controller. On Microsoft Windows NT-based computers
and on Microsoft Windows 2000-based computers, machine account passwords are
regularly changed for security purposes. By default, on Windows NT-based
computers, the machine account password automatically changes every seven
days. On Windows 2000-based computers, the machine account password
automatically changes every 30 days.
Every seven days in case of NT and 30 days incase of Windows 2000, the
workstation sends a security channel password change and the computer account
password is updated. The time between automatic password changes depends on
the value of the MaximumPasswordAge entry.
By disabling the password change for workstation , incidents pertaining to
domain login problem can be minimized as because the client will not
authenticate with the domain controller.
To do the activities:
In Microsoft Windows XP ,2000, machine account password settings can be
configured by using Group Policy Editor (Gpedit.msc). To configure these
settings, follow these steps:
(Windows XP/ 2000)
1. Click Start -> Run -> type: gpedit.msc
2. Expand Local Computer Policy, expand Windows Settings, expand Local
policies, expand Security settings, expand Local Policies, and then expand
Security options.
3. Configure the Following;
• Domain Member: Disable machine account password changes
(DisablePasswordChange)
• Domain Member: Maximum machine account password age (MaximumPasswordAge)
• Domain Controller: Refuse machine account password changes
(RefusePasswordChange)
In Windows XP, 2000, you can disable the machine account password changes on
a workstation by setting the DisablePasswordChange registry entry to a value
of 1. To do so, follow these steps.
1. Start->Run-> type Regedit
2. Locate and click the following Registry Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the right pane, click the DisablePasswordChange entry
4. From the Edit menu, click modify
5. In the value data box, type 1 and then click ok.
6. Quit registry.
Note of Caution: Disabling automatic password changes can make the system
more vulnerable to malicious access. Frequent password changes can be a
significant safeguard for your system. If you disable machine account
password changes, there are security risks because the security channel is
used for pass-through authentication. If someone discovers a password, he or
she can potentially perform pass-through authentication to the domain
controller.
NB: Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Work Around / Solution Remark:
For each Windows 2000 or Windows XP workstation or server that is a member
of a domain, there is a discrete communication channel, known as the security
channel, with a domain controller. On Microsoft Windows NT-based computers
and on Microsoft Windows 2000-based computers, machine account passwords are
regularly changed for security purposes. By default, on Windows NT-based
computers, the machine account password automatically changes every seven
days. On Windows 2000-based computers, the machine account password
automatically changes every 30 days.
Every seven days in case of NT and 30 days incase of Windows 2000, the
workstation sends a security channel password change and the computer account
password is updated. The time between automatic password changes depends on
the value of the MaximumPasswordAge entry.
By disabling the password change for workstation , incidents pertaining to
domain login problem can be minimized as because the client will not
authenticate with the domain controller.
To do the activities:
In Microsoft Windows XP ,2000, machine account password settings can be
configured by using Group Policy Editor (Gpedit.msc). To configure these
settings, follow these steps:
(Windows XP/ 2000)
1. Click Start -> Run -> type: gpedit.msc
2. Expand Local Computer Policy, expand Windows Settings, expand Local
policies, expand Security settings, expand Local Policies, and then expand
Security options.
3. Configure the Following;
• Domain Member: Disable machine account password changes
(DisablePasswordChange)
• Domain Member: Maximum machine account password age (MaximumPasswordAge)
• Domain Controller: Refuse machine account password changes
(RefusePasswordChange)
In Windows XP, 2000, you can disable the machine account password changes on
a workstation by setting the DisablePasswordChange registry entry to a value
of 1. To do so, follow these steps.
1. Start->Run-> type Regedit
2. Locate and click the following Registry Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the right pane, click the DisablePasswordChange entry
4. From the Edit menu, click modify
5. In the value data box, type 1 and then click ok.
6. Quit registry.
Note of Caution: Disabling automatic password changes can make the system
more vulnerable to malicious access. Frequent password changes can be a
significant safeguard for your system. If you disable machine account
password changes, there are security risks because the security channel is
used for pass-through authentication. If someone discovers a password, he or
she can potentially perform pass-through authentication to the domain
controller.
NB: Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.