Domain login problem

marwan

Distinguished
Jun 16, 2004
3
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Resolution Description: Disjoin and rejoin the Computer Account to domain

Work Around / Solution Remark:

For each Windows 2000 or Windows XP workstation or server that is a member
of a domain, there is a discrete communication channel, known as the security
channel, with a domain controller. On Microsoft Windows NT-based computers
and on Microsoft Windows 2000-based computers, machine account passwords are
regularly changed for security purposes. By default, on Windows NT-based
computers, the machine account password automatically changes every seven
days. On Windows 2000-based computers, the machine account password
automatically changes every 30 days.
Every seven days in case of NT and 30 days incase of Windows 2000, the
workstation sends a security channel password change and the computer account
password is updated. The time between automatic password changes depends on
the value of the MaximumPasswordAge entry.

By disabling the password change for workstation , incidents pertaining to
domain login problem can be minimized as because the client will not
authenticate with the domain controller.

To do the activities:

In Microsoft Windows XP ,2000, machine account password settings can be
configured by using Group Policy Editor (Gpedit.msc). To configure these
settings, follow these steps:
(Windows XP/ 2000)

1. Click Start -> Run -> type: gpedit.msc
2. Expand Local Computer Policy, expand Windows Settings, expand Local
policies, expand Security settings, expand Local Policies, and then expand
Security options.
3. Configure the Following;
• Domain Member: Disable machine account password changes
(DisablePasswordChange)
• Domain Member: Maximum machine account password age (MaximumPasswordAge)
• Domain Controller: Refuse machine account password changes
(RefusePasswordChange)

In Windows XP, 2000, you can disable the machine account password changes on
a workstation by setting the DisablePasswordChange registry entry to a value
of 1. To do so, follow these steps.

1. Start->Run-> type Regedit
2. Locate and click the following Registry Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the right pane, click the DisablePasswordChange entry
4. From the Edit menu, click modify
5. In the value data box, type 1 and then click ok.
6. Quit registry.


Note of Caution: Disabling automatic password changes can make the system
more vulnerable to malicious access. Frequent password changes can be a
significant safeguard for your system. If you disable machine account
password changes, there are security risks because the security channel is
used for pass-through authentication. If someone discovers a password, he or
she can potentially perform pass-through authentication to the domain
controller.
NB: Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
 

marwan

Distinguished
Jun 16, 2004
3
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I need help regarding this problem keeping in mind that this solution is not
final. This problem is beeing repeated and we can not judge correctly.

"Marwan" wrote:

> Resolution Description: Disjoin and rejoin the Computer Account to domain
>
> Work Around / Solution Remark:
>
> For each Windows 2000 or Windows XP workstation or server that is a member
> of a domain, there is a discrete communication channel, known as the security
> channel, with a domain controller. On Microsoft Windows NT-based computers
> and on Microsoft Windows 2000-based computers, machine account passwords are
> regularly changed for security purposes. By default, on Windows NT-based
> computers, the machine account password automatically changes every seven
> days. On Windows 2000-based computers, the machine account password
> automatically changes every 30 days.
> Every seven days in case of NT and 30 days incase of Windows 2000, the
> workstation sends a security channel password change and the computer account
> password is updated. The time between automatic password changes depends on
> the value of the MaximumPasswordAge entry.
>
> By disabling the password change for workstation , incidents pertaining to
> domain login problem can be minimized as because the client will not
> authenticate with the domain controller.
>
> To do the activities:
>
> In Microsoft Windows XP ,2000, machine account password settings can be
> configured by using Group Policy Editor (Gpedit.msc). To configure these
> settings, follow these steps:
> (Windows XP/ 2000)
>
> 1. Click Start -> Run -> type: gpedit.msc
> 2. Expand Local Computer Policy, expand Windows Settings, expand Local
> policies, expand Security settings, expand Local Policies, and then expand
> Security options.
> 3. Configure the Following;
> • Domain Member: Disable machine account password changes
> (DisablePasswordChange)
> • Domain Member: Maximum machine account password age (MaximumPasswordAge)
> • Domain Controller: Refuse machine account password changes
> (RefusePasswordChange)
>
> In Windows XP, 2000, you can disable the machine account password changes on
> a workstation by setting the DisablePasswordChange registry entry to a value
> of 1. To do so, follow these steps.
>
> 1. Start->Run-> type Regedit
> 2. Locate and click the following Registry Key:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> 3. In the right pane, click the DisablePasswordChange entry
> 4. From the Edit menu, click modify
> 5. In the value data box, type 1 and then click ok.
> 6. Quit registry.
>
>
> Note of Caution: Disabling automatic password changes can make the system
> more vulnerable to malicious access. Frequent password changes can be a
> significant safeguard for your system. If you disable machine account
> password changes, there are security risks because the security channel is
> used for pass-through authentication. If someone discovers a password, he or
> she can potentially perform pass-through authentication to the domain
> controller.
> NB: Warning If you use Registry Editor incorrectly, you may cause serious
> problems that may require you to reinstall your operating system.
>