Skip to content

A Geeks World

Markus Lassfolk's blog about Technical Stuff, mainly Windows related.

  • About Me
  • About Me
A Geeks World

Tag: reset

Computer account issues with vm snapshots

If you are often jumping back and forth between snapshots in your virtualized environment, you have probably had problems with computers that are unable to establish a secure connection with the domain. Basically, you have to rejoin the computer to the domain or reset password for the computer account, after restoring a snapshot. And you may question yourself, why this happens sometimes but not always?

You may see this in the eventlog

PowerShell
1
2
3
The session setup from the computer DomainMember failed to authenticate.
The name of the account referenced in the security database is DomainMember$.
The following error occurred: Access is denied.

The short explanation is, the password for the computers domain account does not match the one in AD, and have to be reset by either resetting the password or rejoining the domain.

The solution is to either create a script that resets the computer account, OR which is nicer but not computer passwordalways applicable in all environments, is to make sure the passwords always match!

There is a Local Security setting, which you can set on those computers that you need to restore (it’s a per computer setting so you don’t have to apply it to all of your computers). I usually do this in my Lab and Demo environments, so I can restore individual snapshots without worrying about this.

Just “Enable” the policy:

PowerShell
1
2
3
4
5
Domain member: Disable machine account password changes
 
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
 
Default: Disabled.

That will prevent those computers from changing their password in AD, so it will always match no matter which snapshot you jump back and forth to.
Though, the password changes for the computer account is a security precaution, disabling them could make it possible for a malicious user to get hold of the computer password and use it to Authenticate to the domain to read information.

The long(er) explanation:
A computer account is like a User Account, except for a few things. Like that a computer account password never expires, So even if you define that your users have to set a new password every 30 days, your computer accounts could use the same password for ever.

A Windows computer (client or server) will do a client side initiated password change according to the policy.

PowerShell
1
2
3
Domain member: Maximum machine account password age
This security setting determines how often a domain member will attempt to change its computer account password.
Default: 30 days.

This means, that the client will by default initiate a password change every 30 day, when it has contact with the Domain. If the password change is successful, it will store the previous password as “OldVal” (Old Value) and the new Password as “CurrVal” (Current Value) in the registry at HKLM\SECURITY\Policy\Secrets\$machine.ACC.
If the client does not have contact with the Domain but the password is older than 30 days, it’s going to check (by default) every 15 minute if there is a Secure Channel to a DC and if it can initiate a password change.

When a client is booting, it will try to logon to the domain with the current password, if that fails, it will try with the previous password as a fail safe, in case the new password has not replicated to the other DC’s yet.

The reason a computer can join a domain with a pre-staged account where you as a user does not have the “Domain Join” permissions, is that the computer will simply logon with  username: computername and password: computername$ (small letters with a $ at the end), and when the client has joined the domain, it will initiate a password reset and set a secure password.

And as stated above, the cool thing is that these policy settings are per computer. So you can use the 30 days default for all of your domain, except for a few computers that’s being used in testing or for application packaging where you regularly restore your snapshots.

The 30 day password change, is also the reason it’s so common to search the AD for inactive computer accounts by looking at the last password change. If the client has not changed password in the last ~90 days, it’s probably not in use anymore and the computer account can be deleted or inactivated.

There is a great article on this subject “Machine Account Password Process” written by the Microsoft “Directory Services Team” if you want even more in-depth information on Computer Account Passwords.

Author Markus LassfolkPosted on 2013-02-092013-02-09Categories Uncategorized, Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012, Windows VistaTags account, computer, hyper-v, password, reset2 Comments on Computer account issues with vm snapshots

Archives

  • August 2020
  • July 2018
  • March 2018
  • February 2018
  • January 2018
  • November 2017
  • October 2017
  • July 2017
  • May 2017
  • November 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • March 2016
  • February 2016
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • March 2015
  • October 2014
  • September 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • March 2013
  • February 2013
  • January 2013

Categories

  • Azure Pack
  • Building Clouds
  • Home automation
  • MIcrosoft Azure
  • Microsoft Azure Stack
  • Microsoft Baseline Configuration Analyzer
  • Misc
  • SCDPM
  • Scripting
  • SCVMM
  • Uncategorized
  • Windows 10
  • Windows 7
  • Windows 8
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Vista

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Tags

  • Active Directory
  • ADFS
  • azure
  • Azure Pack
  • AzurePack
  • azure stack
  • azure websites
  • Bluescreen
  • BSOD
  • certificate
  • Crashdump
  • DNS
  • drivers
  • GPO
  • Group Policy
  • hyper-v
  • logon
  • MAS
  • microsoft azure
  • nat
  • networking
  • password
  • Patch
  • powershell
  • RDGW
  • Remote Desktop
  • SCDPM
  • script
  • SCVMM
  • Security
  • Server Manager
  • SMA
  • SPF
  • storage spaces
  • tenant
  • tools
  • troubleshooting
  • Updates
  • UR
  • WAP
  • welcome tile
  • windows
  • WSUS
  • xbox live
  • xbox one
  • About Me
  • About Me
A Geeks World Proudly powered by WordPress