As far as the pwdlastset on the machine account in the domain this is
all handled and enforced on the client side.  Even in Windows, though it
is not recommended, you can disable the client from changing its machine
account password and there is nothing on the DC side that cares how
stale that password is since machine accounts are treated special and do
not follow under the rules of password expiration like user accounts do.
With that said can you give us the exact text of the 675 error you are
seeing as it could simply be that you are not doing Kerberos pre-auth or
a host of other things?

Thanks,

-Steve

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, July 22, 2005 2:54 AM
To: '[email protected]'
Subject: RE: [ActiveDir] OT: Macintoshes in AD not updating account
passwo rd

Your spell checker changed "too" to "to" as well :)


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: 21 July 2005 18:31
To: [email protected]
Subject: RE: [ActiveDir] OT: Macintoshes in AD not updating account
password


BTW.. My spell check changed HIPAA to HIPPO, my apologies for not
catching that I hope I do not sound to illiterate.

Jose

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose
Sent: Thursday, July 21, 2005 10:19 AM
To: [email protected]
Subject: RE: [ActiveDir] OT: Macintoshes in AD not updating account
password


Hi Thomas, 

I like MAC's and Windows and Linux, I am not a bigot. However I have not
had an opportunity to join MAC OS 10.4 to Active Directory yet. I have
joined 10.2 and 10.3, and used a product called Admit Mac by Thurbsy
software http://www.thursby.com/. I did not experience the errors that
you are seeing. A word of advice, I am not sure if Tiger yet supports
NTLMv2 and SMB signing ( Admit Mac does ) and if you decide to raise
your Active Directory Domain level to 2003 Native you may break your
Mac's SMB connectivity.

Since you seem to be using government email address I am sure that your
superiors would want to use the highest level domain security as
possible to meet the new Sarbanes-Oxley  and or HIPAA law requirements,
just keep in mind that your password authentication is probably still
using LAN Manager based authentication.

Have a great day

Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

" Why can't we all just get along? " :-)

------------------------------------------------------------------------
------


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Thommes, Michael
M.
Sent: Thursday, July 21, 2005 9:15 AM
To: [email protected]
Subject: [ActiveDir] OT: Macintoshes in AD not updating account password


We have been joining MacIntosh computers running the Tiger OS to Active
Directory.  One problem that I see is that these computers generate a
Security Log Eventid 675 Account Authentication failure record on the
domain controllers.  Some research shows that the "pwdLastSet" attribute
value for the computer account is the date they were first joined to AD.
They don't seem to be renewing their computer account password at either
the 7 day (NT) or 30 day (W2K, WXP) timeframes like out Windows OS
workstations do.

Has anyone else experienced this behavior?  Bug?  Workaround?  Thoughts
(besides get rid of the Macs, LOL!)?  Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

========================================================================
======
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

========================================================================
======

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to