Re: System Account Password
From: Edward Petrie-Smith (PETRIEE@uk.ibm.com)Date: 11/27/01
- Previous message: Gunnar Thermænius: "Change password in OWA"
- Maybe in reply to: Cav: "System Account Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Subject: Re: System Account Password To: Cav <Cav@hawaii.rr.com> Message-ID: <OF1F1CBCD9.84779271-ON80256B11.00339A32@portsmouth.uk.ibm.com> From: "Edward Petrie-Smith" <PETRIEE@uk.ibm.com> Date: Tue, 27 Nov 2001 10:42:53 +0000
Steven,
Just an idea, don't know if this is any help or if it's right.
I would assume that this is happening because the Domain controller has
reset the password on the computer's account? This happens automatically
every seven days I think, and if you say that the user's do not dial in
regularly the passwords would get out of sync.
Have a look in the Security event log for an Success Audit event 628 (User
account password set) with the computer's name in the description field as
the Target Account Name:. The user generating the event will be NT
AUTHORITY\SYSTEM. The computer name will have a dollar sign ($) after it,
for example computername$.
Whether of not this is correct will depend if the Domain controller will
only go through the process if it can talk to the computer in question.
Obviously somebody on the group will be able to correct me on this.
However, if this is the case then there is a registry tweak to determine
the period that the DC changes the computer account., so it should be quite
easy to lengthen this. Have a look at Microsoft Knowledge base article
http://support.microsoft.com/support/kb/articles/Q154/5/01.asp (How to
Disable Automatic Machine Account Password Changes) to totally disable
this, but which opens up a security concern, or
http://support.microsoft.com/support/kb/articles/Q175/4/68.ASP (Effects of
Machine Replication on a Domain) on how to change the period between
computer accounts resets.
Regards, Edward Petrie-Smith,
notes: Edward Petrie-Smith/UK/IBM
e-mail: petriee@uk.ibm.com
Cav
<Cav@hawaii.rr To: FOCUS-MS@securityfocus.com
.com> cc:
Subject: System Account Password
26/11/01 08:09
Hi,
I administer a Windows NT4 domain and am having issues with remote dial-up
(VPN) users who travel. Occasionally, these users are going on travel and
are experiencing problems with their machine account passwords. They get
to the remote location and logon using dial-up networking and are getting
the following error message.
The system could not log you on to this domain because the system's
computer account in its primary domain is missing or the password on that
account is incorrect
The computer accounts do exist (they're added to the domain during the
standard laptop build), and so I believe these users are using their
laptops only after an extended period of non-usage, causing the machine
account passwords to be out of sync. Is this true or could it be something
else (it happens occasionally, but much less frequently to workstations on
the domain)? And the biggest question I have is how can I resolve this
issue while the user is on travel (i.e. remotely)? The users don't have
administrator access to their laptops, basically just user
access. Currently we're subjected to sending up a replacement hard drive
to the user...not a very convenient process. Any help would be
appreciated.
-Steven T.
- Previous message: Gunnar Thermænius: "Change password in OWA"
- Maybe in reply to: Cav: "System Account Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
