As far as the pwdlastset on the machine account in the domain this is all handled and enforced on the client side. Even in Windows, though it is not recommended, you can disable the client from changing its machine account password and there is nothing on the DC side that cares how stale that password is since machine accounts are treated special and do not follow under the rules of password expiration like user accounts do. With that said can you give us the exact text of the 675 error you are seeing as it could simply be that you are not doing Kerberos pre-auth or a host of other things?
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, July 22, 2005 2:54 AM To: '[email protected]' Subject: RE: [ActiveDir] OT: Macintoshes in AD not updating account passwo rd Your spell checker changed "too" to "to" as well :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: 21 July 2005 18:31 To: [email protected] Subject: RE: [ActiveDir] OT: Macintoshes in AD not updating account password BTW.. My spell check changed HIPAA to HIPPO, my apologies for not catching that I hope I do not sound to illiterate. Jose -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Thursday, July 21, 2005 10:19 AM To: [email protected] Subject: RE: [ActiveDir] OT: Macintoshes in AD not updating account password Hi Thomas, I like MAC's and Windows and Linux, I am not a bigot. However I have not had an opportunity to join MAC OS 10.4 to Active Directory yet. I have joined 10.2 and 10.3, and used a product called Admit Mac by Thurbsy software http://www.thursby.com/. I did not experience the errors that you are seeing. A word of advice, I am not sure if Tiger yet supports NTLMv2 and SMB signing ( Admit Mac does ) and if you decide to raise your Active Directory Domain level to 2003 Native you may break your Mac's SMB connectivity. Since you seem to be using government email address I am sure that your superiors would want to use the highest level domain security as possible to meet the new Sarbanes-Oxley and or HIPAA law requirements, just keep in mind that your password authentication is probably still using LAN Manager based authentication. Have a great day Jose Medeiros Former Vice President and Postmaster NTEA MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org " Why can't we all just get along? " :-) ------------------------------------------------------------------------ ------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thommes, Michael M. Sent: Thursday, July 21, 2005 9:15 AM To: [email protected] Subject: [ActiveDir] OT: Macintoshes in AD not updating account password We have been joining MacIntosh computers running the Tiger OS to Active Directory. One problem that I see is that these computers generate a Security Log Eventid 675 Account Authentication failure record on the domain controllers. Some research shows that the "pwdLastSet" attribute value for the computer account is the date they were first joined to AD. They don't seem to be renewing their computer account password at either the 7 day (NT) or 30 day (W2K, WXP) timeframes like out Windows OS workstations do. Has anyone else experienced this behavior? Bug? Workaround? Thoughts (besides get rid of the Macs, LOL!)? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ======================================================================== ====== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ======================================================================== ====== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
