RE: [ActiveDir] Computer Accounts and request for comments on pro visioning.

[Roger Seielstad]

Title: Message

Answers inline. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 1.        On average how long do you allow computer accounts to stay deactivate in your domain, and what issues do you run into when machines are disconnected longer than say the 60 days.  (I think I remember reading somewhere that secure channel passwords get reset every 30 days on machine accounts).  If the passwords are out of sync when the machine try to join the domain again, will they auto renegotiate a new secure channel password even though the password is out of sync or does it always require resetting the secure channel?     We generally do a sweep once or twice a quarter, and kill anything older than 90 days. Then again, we don't have huge amounts of machine turnover since we're not a huge company.     2.        Do you allow machines that are primarily home machines connect in as domain resources, or do you use other means to provide remote access to domain resources?  If so what alternative means do you provide remote access to resources?   We only allow corporate owned resources on the network - including limiting the distribution of the VPN client to only company owned laptops. The only service we provide for non-company remote access is Outlook web access for email.   3.        Finally, do you require machines to go through a provisioning process when the computer account is created and removed from the domain?  If so, how do you manage the process.  In today's domains, I would think it would be desirable with the need to have certificates issued for EFS, etc.    Not currently, although we're trying to revamp our machine build process to a point where this might be more easily accomplished.