Hmmm.. I'd expect that the domain had the password change at next logon flag set for the computer accounts, but since that logon never happens, the password would technically still be valid. I'm having a hard time wording what I'm thinking the underlying problem here is, but it's systemic in the authorization and authentication mechanism.
Its interesting to know that netlogon being stopped only denies local logons and not domain - I'd have assumed that all authentication would be done in by that. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 06, 2004 8:31 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Cached Domain Credential logon > expiry for Win2k/X P > > I am actually starting to wonder on this and how it actually > works and now > have some new theories. > > I recently had to troubleshoot an issue and there were machines with > passwords that were greater than 600 days old. The password > had never been > changed from the first day the machines were added to the > domain and the > machines WERE working fine with the domain. > > The issue ended up being that NETLOGON service had been > disabled on the > workstation. This made it so you couldn't use any local > principals but you > could still logon with a domain ID. The NETLOGON service is > what keeps the > passwords getting updated as well as the SP level and > probably some other > things in AD. I am sure there were probably some other things > that weren't > working quite exactly as expected either but the users seemed > to have no > issues. As soon as the service was restarted, the password > changes started > occurring again. > > I didn't have a chance to really dig into why the accounts > kept working > whether it was some special flag or not, we just wanted it > cleaned up. > > Since the passwords were that old though and the people could > still use the > domain, it makes me wonder if the passwords truly "break" for > workstations, > if it isn't on the workstation side versus the domain > side.... I.E. The > workstation is completely responsible for whole process and > you actually > have no control from the domain side. I always wondered how > the regedit on > the workstation could change the functionality, this would > explain that. > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, May 06, 2004 7:43 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Cached Domain Credential logon > expiry for Win2k/X P > > Default password aging for machine accounts is 30 days in AD > and 7 days in > NT4 domains.. > > Now - it will support current and previous, I believe, so > techically you can > get 60 days out of it, IIRC. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 06, 2004 6:54 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Cached Domain Credential logon expiry for > > Win2k/XP > > > > There is not a time limit for cached credentials, but if > the machine > > does not change its password it will not be able to talk to > the domain > > when it returns. The default time for this is 90 days. > > > > Denny > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: Wednesday, May 05, 2004 12:01 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Cached Domain Credential logon > expiry for > > Win2k/XP > > > > > > Our cached logon expert is Rick, he should be along > shortly with > > info... :o) > > > > I do not believe that there is an expiration. However a > simple test > > would be to take a test domain and set the password policy to 1 or > > 2 days and then join a laptop and see what happens if you > don't log on > > to the domain for 3 or 5 days or whatever. > > > > joe > > > > ________________________________ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Wednesday, May 05, 2004 11:47 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Cached Domain Credential logon expiry for > > Win2k/XP > > > > > > > > Does anyone know how long cached credentials for domain > logons are > > valid on Win2K/XP machines? Is there even an expiry date? > A concern > > was raised by our desktop OS group that cached credentials > for domain > > logons may expire for laptop users who spend considerable time away > > from the office, leaving them unable to access the > workstation. In My > > life as a road warrior, I never had this happen to me, but > I was never > > way from a network connection (VPN or otherwise) for more than 2 > > weeks. > > > > I have been searching for a definitive answer in terms of a KB > > article or some other "authoritative source" ( I guess my trust me > > response was not authoritative enough), but have been > unable to find > > one. > > > > > > > > David Frost > > Directory Engineering, > > Messaging, Directories and PKI Engineering Services > > Industry Canada > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
