locked
SteadyState PCs Lose Domain Relationship RRS feed

  • Question

  • We have recently installed a number of PCs in our Library and as these are shared workstations we have decided to lock them down with Windows SteadyState.

    The PCs are running Windows XP Pro 5.1.2600 with SP2 applied and are joined to a Windows Server 2003 environment.

    We have created a template user profile (LocalUser) and copied this to the Default User profile to ensure that anybody logging in with their AD account will pick up the SteadyState policies.  We have also enabled WDP and the Scheduled Software Updates (to run at 03:00 each day).

    The issue that we have is that intermittantly, the PCs are failing to connect to the domain - users receive the following error:

    "Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear contact your System Administrator for assistance."

    I have checked the System Event Logs and there is a corresponding Event for this issue:

    Source:   NETLOGON
    Type:      Error
    Event ID: 5721

    "The session setup to the Windows NT or Windows 2000 Domain Controller \\zzzzzz.xxxxxxx.yyyyyy for the domain zzzzzz failed because the Domain Controller does not have an account for the computer xxxxx."

    Therefore it would appear that WDP is somehow stopping the computer account password from updating with AD, and that because this is not being updated the domain relationship is lost.  I had read the following from page 51 of the SteadyState Handbook which backs this up:

    "When a computer running Windows XP Professional is joined to an Active
    Directory domain, the computer uses a computer account password to
    authenticate with the domain and gain access to domain resources. By default,
    the domain-joined computer initiates a change to the computer account
    password automatically within every 30-day period. A domain controller accepts
    the password change and allows the domain-joined computer to continue to
    authenticate. The new password is stored locally on the domain-joined computer
    and can be confirmed by Active Directory. If a password change fails, or if a
    domain-joined computer attempts to use an incorrect password, the computer
    will not be capable of accessing the domain."

    It was my understanding that if the Scheduled Software Update setting was enabled however, that this would allow the computer account password to be renewed (and as we have this set daily at 03:00 then there shouldn't be a problem).

    Can anyone offer a solution to this issue?  At present each time this happens, we are having to log into the PCs as a local admin and rejoin them to the domain - which is not very good when there are 20+ PCs to visit each time....
    Monday, July 6, 2009 9:34 AM

Answers

  • Hi CIC_Dave, thanks for the post. I'd like to inform you that we have a workaround regarding the current issue, you can check the following:

     

    Every 30 days a computer tries to change its domain password. This behavior conflicts with SteadyState. There is a very simple solution for this: change the value on all clients with SteadyState installed to 9999 (which is about 27 years instead of 30 days). I have tested this and this is also the way DeepFreeze (=similar to SteadyState) works. When you install DeepFreeze, this value is automatically changed to 9999. Maybe this is also an option for the next version of SteadyState?

     

    You can use this .reg file ( 9999 decimal = 0000270f hex ):

     

    Windows Registry Editor Version 5.00

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

    "DisablePasswordChange"=dword:00000001

    "maximumpasswordage"=dword:0000270f

     

    For detailed information, you can check the following thread:

     

    Steady State and Domain Workstation Accounts

    http://social.technet.microsoft.com/Forums/en-US/windowssteadystate/thread/4468966c-cc53-4656-8014-ef850f217d38/

     

    Hope this helps!


    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Monday, July 13, 2009 3:26 AM
    Tuesday, July 7, 2009 4:02 AM

All replies

  • Hi CIC_Dave, thanks for the post. I'd like to inform you that we have a workaround regarding the current issue, you can check the following:

     

    Every 30 days a computer tries to change its domain password. This behavior conflicts with SteadyState. There is a very simple solution for this: change the value on all clients with SteadyState installed to 9999 (which is about 27 years instead of 30 days). I have tested this and this is also the way DeepFreeze (=similar to SteadyState) works. When you install DeepFreeze, this value is automatically changed to 9999. Maybe this is also an option for the next version of SteadyState?

     

    You can use this .reg file ( 9999 decimal = 0000270f hex ):

     

    Windows Registry Editor Version 5.00

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

    "DisablePasswordChange"=dword:00000001

    "maximumpasswordage"=dword:0000270f

     

    For detailed information, you can check the following thread:

     

    Steady State and Domain Workstation Accounts

    http://social.technet.microsoft.com/Forums/en-US/windowssteadystate/thread/4468966c-cc53-4656-8014-ef850f217d38/

     

    Hope this helps!


    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Monday, July 13, 2009 3:26 AM
    Tuesday, July 7, 2009 4:02 AM
  • Sean,

    Based on the tweak suggested above, would any password changes done in active directory pose any issue even if this registry tweak has been set?  My understanding is client PCs would have a security file that should match the password made in active directory, please correct me if I'm wrong about this?

    If indeed this correct, a simple work around would be to set client PC to save changes whenever password changes have been made in Active Directory and applied in client PCs?  Do you have a better alternative to this making things easier?

    Thanks.

    Wednesday, July 15, 2009 8:46 AM