locked
Windows Disk Protection on Domain-Joined Computers RRS feed

  • Question

  • >

    Hello all,

     

    The handbook for SteadyState has a small section called 'Windows Disk Protection on Domain-Joined Computers' which states

    When a computer running Windows XP Professional is joined to an Active

    Directory domain, the computer uses a computer account password to

    authenticate with the domain and gain access to domain resources. By default,

    the domain-joined computer initiates a change to the computer account

    password automatically within every 30-day period. A domain controller accepts

    the password change and allows the domain-joined computer to continue to

    authenticate. The new password is stored locally on the domain-joined computer

    and can be confirmed by Active Directory. If a password change fails, or if a

    domain-joined computer attempts to use an incorrect password, the computer

    will not be capable of accessing the domain.

    but doesn't really elaborate on whether this means you can't use Disk Protection on a domain machine or if there is some work-around (possibly during the Windows Update window?).

     

    Any thoughts?

    Sunday, July 1, 2007 3:25 AM

Answers

  • Hello Ronshsir,

     

    Thanks for posting in our newsgroup and also for Rpfeffer’s input.

     

    Yes, the computer password changing behavior described in Shared Computer Toolkit documents still applies to SteadyState:

     

    When Windows Disk Protection is enabled in SteadyState, system disables automatic password changes for the machine account.  Then, during the software update cycle, system updates the machine account password.  If Windows Disk Protection is disabled later, it enables automatic password changes again.

     

    Hope the information helps.

     

    If you have any concern about this issue, please don’t hesitate to let me know.

     

     

    Tuesday, July 3, 2007 2:52 AM

All replies

  • Upon further poking around, I found the following in documentation for the Shared Computer Toolkit:

     

    When Windows Disk Protection is turned on, the tool disables the automatic client-initiated machine account password updates on the computer. Windows Disk Protection then automatically initiates a password change every time disk changes are saved. This happens one time when Windows Disk Protection is turned on. Thereafter, the update occurs at each restart where disk changes are saved. At a minimum, this happens during the scheduled critical update process.

    So is this still true in SteadyState?  I'm assuming yes, but can't find anything to back that up documentation-wise.

     

    Thanks!

    Monday, July 2, 2007 2:25 AM
  • I am curious about this as well, but as RonShir says, the documentation is quite vague in regards to this issue.  We are looking to "retain changes indefinitely" and just resort to the base image in extreme instances, so that is usually going to go above and beyond the 30 day time period in which the machine automatically resets the machine domain account password. 

     

    Would a work around be to simply raise the number of days it keeps that computer domain account password?  Would there be a downfall to setting that at 120 days as opposed to 30 days that is the default?

    Monday, July 2, 2007 6:24 PM
  • Hello Ronshsir,

     

    Thanks for posting in our newsgroup and also for Rpfeffer’s input.

     

    Yes, the computer password changing behavior described in Shared Computer Toolkit documents still applies to SteadyState:

     

    When Windows Disk Protection is enabled in SteadyState, system disables automatic password changes for the machine account.  Then, during the software update cycle, system updates the machine account password.  If Windows Disk Protection is disabled later, it enables automatic password changes again.

     

    Hope the information helps.

     

    If you have any concern about this issue, please don’t hesitate to let me know.

     

     

    Tuesday, July 3, 2007 2:52 AM
  • Robert,

     

    So that means that as long as windows updates are installed, the password would be reset and the machine would be able to successfully remain on the domain?

     

    My worry about using this software is that if we "retain changes indefinitely", the machine password will expire and the computer will no longer be able to access our domain.  Any further clarification would be appreciated.

     

    Thanks in advance!

    Tuesday, July 3, 2007 1:21 PM
  • Yes, when the updates have been installed, the password is reset and you can logon the domain.

     

    When Disk Protection is turned on, if you don’t install the critical updates, the client will never request AD to change machine password, so it continue to use the original password.

     

    If you schedule critical update, when process starts, the client will request AD to change password, and the new password will be stored on local computer. So the password will never expire and you can logon domain successfully.

     

    Wednesday, July 4, 2007 9:39 AM
  • Hi!

    This thread is very old but Robert could you please answer me this:

    What would happen if your machines were off for longer than say the 30 day period, therefore missing the updates process- would you fail to be able to login/access the domain?

    Thanks if your able to respond to this!
    Friday, November 6, 2009 12:48 PM