Computer account issues with vm snapshots

If you are often jumping back and forth between snapshots in your virtualized environment, you have probably had problems with computers that are unable to establish a secure connection with the domain. Basically, you have to rejoin the computer to the domain or reset password for the computer account, after restoring a snapshot. And you may question yourself, why this happens sometimes but not always?

You may see this in the eventlog

The short explanation is, the password for the computers domain account does not match the one in AD, and have to be reset by either resetting the password or rejoining the domain.

The solution is to either create a script that resets the computer account, OR which is nicer but not always applicable in all environments, is to make sure the passwords always match!

There is a Local Security setting, which you can set on those computers that you need to restore (it’s a per computer setting so you don’t have to apply it to all of your computers). I usually do this in my Lab and Demo environments, so I can restore individual snapshots without worrying about this.

Just “Enable” the policy:

That will prevent those computers from changing their password in AD, so it will always match no matter which snapshot you jump back and forth to.
Though, the password changes for the computer account is a security precaution, disabling them could make it possible for a malicious user to get hold of the computer password and use it to Authenticate to the domain to read information.

The long(er) explanation:
A computer account is like a User Account, except for a few things. Like that a computer account password never expires, So even if you define that your users have to set a new password every 30 days, your computer accounts could use the same password for ever.

A Windows computer (client or server) will do a client side initiated password change according to the policy.

This means, that the client will by default initiate a password change every 30 day, when it has contact with the Domain. If the password change is successful, it will store the previous password as “OldVal” (Old Value) and the new Password as “CurrVal” (Current Value) in the registry at HKLM\SECURITY\Policy\Secrets\$machine.ACC.
If the client does not have contact with the Domain but the password is older than 30 days, it’s going to check (by default) every 15 minute if there is a Secure Channel to a DC and if it can initiate a password change.

When a client is booting, it will try to logon to the domain with the current password, if that fails, it will try with the previous password as a fail safe, in case the new password has not replicated to the other DC’s yet.

The reason a computer can join a domain with a pre-staged account where you as a user does not have the “Domain Join” permissions, is that the computer will simply logon with  username: computername and password: computername$ (small letters with a $ at the end), and when the client has joined the domain, it will initiate a password reset and set a secure password.

And as stated above, the cool thing is that these policy settings are per computer. So you can use the 30 days default for all of your domain, except for a few computers that’s being used in testing or for application packaging where you regularly restore your snapshots.

The 30 day password change, is also the reason it’s so common to search the AD for inactive computer accounts by looking at the last password change. If the client has not changed password in the last ~90 days, it’s probably not in use anymore and the computer account can be deleted or inactivated.

There is a great article on this subject “Machine Account Password Process” written by the Microsoft “Directory Services Team” if you want even more in-depth information on Computer Account Passwords.