RE: System Account Password
From: Darren W. MacDonald (darrydoo@sympatico.ca)Date: 11/27/01
- Previous message: Brad: "Re: Malicious use of grc.com"
- In reply to: Cav: "System Account Password"
- Next in thread: Scott Grundeen Strehlow: "RE: System Account Password"
- Next in thread: Edward Petrie-Smith: "Re: System Account Password"
- Reply: Scott Grundeen Strehlow: "RE: System Account Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Darren W. MacDonald" <darrydoo@sympatico.ca> To: "'Cav'" <Cav@hawaii.rr.com>, <focus-ms@securityfocus.com> Subject: RE: System Account Password Date: Mon, 26 Nov 2001 18:50:05 -0500 Message-ID: <005901c176d5$15d35e90$a0fea8c0@dellydoo>
Steven:
I believe you are correct as to the reason for the message. The trust
relationship between the laptops and the domain expires after two weeks;
I'd recommend that you have users log in at least that often, or at
least once per week just to get them in the habit. They're doing
themselves a favour.
Can the users log with cached credentials and then establish their
DUN/VPN connection? Other than not running the login script, this might
be good alternative to attempting to repair the problem.
If the above works, and you can ping the laptop, then you can try the
following: from a PC on your network, connect to the IPC$ share of the
laptop using its local administrator credentials:
NET USE \\<laptop>\IPC$ /user:<laptop>\administrator <password>
and then run NETDOM.EXE, from the Resource Kit, to fix the problem:
NETDOM /DOMAIN:<domain> MEMBER \\<laptop> /JOINDOMAIN
Note that this won't work if your VPN solution won't allow you to
connect to the laptop in question from your network, say if NAT is being
used.
Alternatively, it is possible to use SMS Installer (or any other
packaging tool like InstallShield, etc.) to create an EXE containing
NETDOM.EXE and SU.EXE (also from the Resource Kit). As long as the SU
service is already installed on the laptop, the SMS Installer package
can install these tools to a temporary location, and have SU call NETDOM
with elevated privileges, so that the domain can be rejoined by a user.
Email me if you want more details, as it's a bit ugly.
TTYL
Darren
> -----Original Message-----
> From: Cav [mailto:Cav@hawaii.rr.com]
> Sent: November 26, 2001 3:10 AM
> To: FOCUS-MS@SECURITYFOCUS.COM
> Subject: System Account Password
>
> Hi,
>
> I administer a Windows NT4 domain and am having issues with remote
dial-up
> (VPN) users who travel. Occasionally, these users are going on travel
and
> are experiencing problems with their machine account passwords. They
get
> to the remote location and logon using dial-up networking and are
getting
> the following error message.
>
> The system could not log you on to this domain because the system's
> computer account in its primary domain is missing or the password on
that
> account is incorrect
>
> The computer accounts do exist (they're added to the domain during the
> standard laptop build), and so I believe these users are using their
> laptops only after an extended period of non-usage, causing the
machine
> account passwords to be out of sync. Is this true or could it be
> something
> else (it happens occasionally, but much less frequently to
workstations on
> the domain)? And the biggest question I have is how can I resolve
this
> issue while the user is on travel (i.e. remotely)? The users don't
have
> administrator access to their laptops, basically just user
> access. Currently we're subjected to sending up a replacement hard
drive
> to the user...not a very convenient process. Any help would be
> appreciated.
>
> -Steven T.
>
- Previous message: Brad: "Re: Malicious use of grc.com"
- In reply to: Cav: "System Account Password"
- Next in thread: Scott Grundeen Strehlow: "RE: System Account Password"
- Next in thread: Edward Petrie-Smith: "Re: System Account Password"
- Reply: Scott Grundeen Strehlow: "RE: System Account Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
