| Author | Messages | |
Parzival
Posts:108
 | | 02/25/2009 8:17 AM |
| Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| ZJORZ
Posts:389
| | 02/25/2009 8:53 AM |
| Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv�rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| Parzival
Posts:108
| | 02/25/2009 9:22 AM |
| Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv�rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��ا~�m����
�rدyث��?.+-j�q.+-��!���
0i�b��b�������P�j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| ZJORZ
Posts:389
| | 02/25/2009 9:25 AM |
| That's why I said:
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing.
To answer your Q I would say that everything should continue to work although the password cannot be changed by the computer itself
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 15:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv�rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��ا~�m����
�rدyث��?.+-j�q.+-��!���
0i�b��b�������P�j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.Böv�rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| jamesawells
Posts:79
| | 02/25/2009 9:27 AM |
| Are you aging/deleting/disabling computer accounts based on password
age via some automated process? (joeware OldCmp, AD Janitor, custom
processs...)
?
--James
On 2/25/09, Roelf Zomerman <roelf.zomerman@avanade.com> wrote:
> Ok, but in this case the computer is not able to change the password during
> boot, since there is no VPN connection.. therefore (if the computer does not
> change the password after VPN connection is established) there will never be
> a password change.. can computer objects be denied access based on the age
> of the password of an object in the AD or last contact time?
>
> Roelf
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida
> Pinto
> Sent: Wednesday, February 25, 2009 2:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN
> clients
>
> Windows Computers change their password within a day or so after being
> joined to the AD domain
> Windows Computers initiate a password change when they can as soon as 30
> days have passed
> Windows Computers keep a history of 1 password
>
> So if a computer is shutdown for 40 days, it will try to change the password
> right away when it boots up again.
>
> I have never tested it, but I would expect everything continues to work even
> if the computer cannot change the password. The initiation of the password
> change is a local computer thing and not a computer account thing
>
> Met vriendelijke groeten / Kind regards,
>
> Ing. Jorge de Almeida Pinto
> Senior Technical Consultant
> MVP Identity & Access - Directory Services
>
> * This posting is provided "AS IS" with no warranties and confers no rights!
>
> * Always test before implementing!
> ________________________________________________________________
> MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
> BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
> ________________________________________________________________
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
> Sent: Wednesday, February 25, 2009 14:10
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
>
> Hi All,
>
> We have VPN users that are rarely in the office, they log in via a separate
> VPN client. However, after 90 days they cannot access any resources anymore.
> Apparently the computer account is blocked after 90 days. Seems to me the
> password reset function of the computer account does not work. If users work
> within the 90 days all is fine and they can access the resources they need,
> if users come to the office within the 90 days.. their 90 days "grace
> period" is reset..
>
> Now to troubleshoot I want to know the process that a computer uses to reset
> it's password.. any hints?
>
> Or has anyone seen this behavior before?
>
> _R
> .Böv rzövk}
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3888 (20090225) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3888 (20090225) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
> �ا~�m����
> rدyث��?.+-j�q.+- !�� �
> 0i�b��b�������P j�q.+-j�!����� �
> 0i�b��b����f�u�ں[Z��
>
--
Sent from my mobile device
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| mcasey
Posts:75
| | 02/25/2009 9:29 AM |
| The DS team just discussed the machine account password process on
their blog recently:
http://blogs.technet.com/askds/archive/2009/02/13/machine-account-password-process.aspx
-matt
On Wed, Feb 25, 2009 at 9:15 AM, Roelf Zomerman
<roelf.zomerman@avanade.com> wrote:
> Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
>
> Roelf
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
> Sent: Wednesday, February 25, 2009 2:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
>
> Windows Computers change their password within a day or so after being joined to the AD domain
> Windows Computers initiate a password change when they can as soon as 30 days have passed
> Windows Computers keep a history of 1 password
>
> So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
>
> I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
>
> Met vriendelijke groeten / Kind regards,
>
> Ing. Jorge de Almeida Pinto
> Senior Technical Consultant
> MVP Identity & Access - Directory Services
>
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test before implementing!
> ________________________________________________________________
> MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
> BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
> ________________________________________________________________
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
> Sent: Wednesday, February 25, 2009 14:10
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
>
> Hi All,
>
> We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
>
> Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
>
> Or has anyone seen this behavior before?
>
> _R
> .Böv rzövk}
>
>
> __________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
> �ا~�m����
> rدyث��?.+-j�q.+- !�� �
> 0i�b��b�������P j�q.+-j�!����� �
> 0i�b��b����f�u�ں[Z��
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| deji
Posts:262
| | 02/25/2009 10:40 AM |
| Logically, IF the computer had been away from the environment for that long, then it would not have reset its password and would have knowledge of the previous password it had, which will be the one the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
Perhaps what's happening in your environment is that you have a process that is reverting computer states to previous versions, thereby causing them to present a password that used to exist in the past (but which has been superseded by a more recent state). I used to see this situation on a fairly regular basis in previous life.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
That's why I said:
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing.
To answer your Q I would say that everything should continue to work although the password cannot be changed by the computer itself
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 15:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m����
?rدyث��?.+-j�q.+-??!���
0i�b��b�������P?j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��b��!��� 0i�b��b��������)ĸ��P?��i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| ZJORZ
Posts:389
| | 02/25/2009 11:11 AM |
| >>>> the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
It is not the DC that requests a PWD change for computer accounts, but rather the computers themselves that use a certain computer account in AD
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, February 25, 2009 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Logically, IF the computer had been away from the environment for that long, then it would not have reset its password and would have knowledge of the previous password it had, which will be the one the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
Perhaps what's happening in your environment is that you have a process that is reverting computer states to previous versions, thereby causing them to present a password that used to exist in the past (but which has been superseded by a more recent state). I used to see this situation on a fairly regular basis in previous life.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
That's why I said:
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing.
To answer your Q I would say that everything should continue to work although the password cannot be changed by the computer itself
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 15:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m����
?rدyث��?.+-j�q.+-??!���
0i�b��b�������P?j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��b��!��� 0i�b��b��������)ĸ��P?��i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| PARRIS
Posts:293
| | 02/25/2009 11:26 AM |
| I worked on a large project a few years ago and due to having multiple machines pre-built months in advance, we avoided this issue by creating an OU and set the machine account password age to a number that suited our needs.
Regards,
Mark Parris
[ADUG] UK Active Directory User Group http://adug.co.uk
-----Original Message-----
From: "Jorge de Almeida Pinto" <Jorge.deAlmeidaPinto@oxfordcomputergroup.com>
Date: Wed, 25 Feb 2009 16:05:26
To: <ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
>>>> the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
It is not the DC that requests a PWD change for computer accounts, but rather the computers themselves that use a certain computer account in AD
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, February 25, 2009 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Logically, IF the computer had been away from the environment for that long, then it would not have reset its password and would have knowledge of the previous password it had, which will be the one the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
Perhaps what's happening in your environment is that you have a process that is reverting computer states to previous versions, thereby causing them to present a password that used to exist in the past (but which has been superseded by a more recent state). I used to see this situation on a fairly regular basis in previous life.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
That's why I said:
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing.
To answer your Q I would say that everything should continue to work although the password cannot be changed by the computer itself
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 15:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m����
?rدyث��?.+-j�q.+-??!���
0i�b��b�������P?j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��b��!��� 0i�b��b��������)ĸ��P?��i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q.+-wi0-+֬�@B�m�+v*�ˊE���֫r�z�m�+v*�k^})
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
.+-�w��i��0��-�����+���֬����@B�m�������+�v*��ˊ�E������֫r��z�m�������+�v*���k�^}����).+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| deji
Posts:262
| | 02/25/2009 11:41 AM |
| Yeah, caught that after sending 
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 8:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
>>>> the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
It is not the DC that requests a PWD change for computer accounts, but rather the computers themselves that use a certain computer account in AD
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, February 25, 2009 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Logically, IF the computer had been away from the environment for that long, then it would not have reset its password and would have knowledge of the previous password it had, which will be the one the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
Perhaps what's happening in your environment is that you have a process that is reverting computer states to previous versions, thereby causing them to present a password that used to exist in the past (but which has been superseded by a more recent state). I used to see this situation on a fairly regular basis in previous life.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
That's why I said:
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing.
To answer your Q I would say that everything should continue to work although the password cannot be changed by the computer itself
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 15:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m����
?rدyث��?.+-j�q.+-??!���
0i�b��b�������P?j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��b��!��� 0i�b��b��������)ĸ��P?��i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q.+-wi0-+֬?@B?m?+v*?ˊE???֫r?z?m?+v*?k^})
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m���� ?rدyث��?.+-j�q.+-??!��� 0i�b��b�������P?j�q.+-j�!������ 0i�b��b����f�u�ں[Z��.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| Parzival
Posts:108
| | 02/26/2009 8:30 AM |
| In the link provided it states:
If the machine was unable to communicate with a domain controller for 60 days, then we have a secure channel issue.
I tried finding some resources on that.,. but did not find any.. anyone any hints for me?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, February 25, 2009 5:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Yeah, caught that after sending
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 8:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
>>>> the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
It is not the DC that requests a PWD change for computer accounts, but rather the computers themselves that use a certain computer account in AD
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, February 25, 2009 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Logically, IF the computer had been away from the environment for that long, then it would not have reset its password and would have knowledge of the previous password it had, which will be the one the PDCe would also have. So, if it comes back and presents that password, then the PDCe should be able to accept it and request a change.
Perhaps what's happening in your environment is that you have a process that is reverting computer states to previous versions, thereby causing them to present a password that used to exist in the past (but which has been superseded by a more recent state). I used to see this situation on a fairly regular basis in previous life.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto [Jorge.deAlmeidaPinto@oxfordcomputergroup.com]
Sent: Wednesday, February 25, 2009 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
That's why I said:
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing.
To answer your Q I would say that everything should continue to work although the password cannot be changed by the computer itself
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
(MVP Profile) (Blog)
Oxford Computer Group BeNeLux
u: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 15:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Ok, but in this case the computer is not able to change the password during boot, since there is no VPN connection.. therefore (if the computer does not change the password after VPN connection is established) there will never be a password change.. can computer objects be denied access based on the age of the password of an object in the AD or last contact time?
Roelf
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 25, 2009 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ComputerAccount password reset fails for VPN clients
Windows Computers change their password within a day or so after being joined to the AD domain
Windows Computers initiate a password change when they can as soon as 30 days have passed
Windows Computers keep a history of 1 password
So if a computer is shutdown for 40 days, it will try to change the password right away when it boots up again.
I have never tested it, but I would expect everything continues to work even if the computer cannot change the password. The initiation of the password change is a local computer thing and not a computer account thing
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
________________________________________________________________
MVP Profile → https://mvp.support.microsoft.com/profile/jorge1
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, February 25, 2009 14:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ComputerAccount password reset fails for VPN clients
Hi All,
We have VPN users that are rarely in the office, they log in via a separate VPN client. However, after 90 days they cannot access any resources anymore. Apparently the computer account is blocked after 90 days. Seems to me the password reset function of the computer account does not work. If users work within the 90 days all is fine and they can access the resources they need, if users come to the office within the 90 days.. their 90 days "grace period" is reset..
Now to troubleshoot I want to know the process that a computer uses to reset it's password.. any hints?
Or has anyone seen this behavior before?
_R
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m����
?rدyث��?.+-j�q.+-??!���
0i�b��b�������P?j�q.+-j�!������
0i�b��b����f�u�ں[Z��
.Böv?rzövk}
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
��b��!��� 0i�b��b��������)ĸ��P?��i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q.+-wi0-+֬?@B?m?+v*?ˊE???֫r?z?m?+v*?k^})
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3888 (20090225) __________
The message was checked by ESET Smart Security.
http://www.eset.com
?�ا~�m���� ?rدyث��?.+-j�q.+-??!��� 0i�b��b�������P?j�q.+-j�!������ 0i�b��b����f�u�ں[Z��.+-�w��i��0��-�����+���֬����@B�m�������+�v*��ˊ�E������֫r��z�m�������+�v*���k�^}����)
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
|
|