Re: [NTSysADM] Win 7 workstations losing trust

[Susan Bradley]

Malware can be a factor.

Susan Bradley
http://blogs.msmvps.com/bradley

On 10/2/2014 8:34 AM, Kennedy, Jim wrote:

It’s a mystery I have never solved. We see 2 or 3 a month out of 3000. These are not machines that are sitting idle, they are in use a lot.

*From:*listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] *On Behalf Of *David McSpadden

*Sent:* Thursday, October 2, 2014 11:30 AM
*To:* ntsysadm@lists.myitforum.com
*Subject:* RE: [NTSysADM] Win 7 workstations losing trust

Still unsure why my DC where not updating the machine accounts like they should.

I fired them, dcpromo /forceremoval.

Powered off.

Everything I am reading is just telling me how to get my shit back in the Domain nothing about the cause of the disjoin other than it couldn’t get a ticket from the KDC. (Why doesn’t it ask the next DC in the queue?)

I am still having users call and state their workstation is losing a Trust Relationship.

Rebooting 4-5 times seems to ‘fix’ it but what is really broken??

*From:*listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Kennedy, Jim

*Sent:* Thursday, October 02, 2014 11:24 AM
*To:* ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com>
*Subject:* RE: [NTSysADM] Win 7 workstations losing trust

I was rather shocked to see such a policy even existed.

*From:*listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Michael B. Smith

*Sent:* Thursday, October 2, 2014 11:23 AM
*To:* ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com>
*Subject:* RE: [NTSysADM] Win 7 workstations losing trust

I sure hope that PVS machine accounts are always held in a separate OU and that the GP is targeted to only that OU…

*From:*listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Webster

*Sent:* Thursday, October 2, 2014 9:43 AM
*To:* ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com>
*Subject:* RE: [NTSysADM] Win 7 workstations losing trust

That happens with PVS when the group policy to not do machine password changes is not set.

Verify the Group Policy Object (GPO) in the Organization Unit (OU) where the target device is located for the policy *Disable machine account password changes *to be *enabled*. This provides Provisioning Services (PVS) control over the target Active Directory machine account.

Webster

*From:*listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin

*Sent:* Thursday, October 02, 2014 9:39 AM
*To:* ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com>
*Subject:* Re: [NTSysADM] Win 7 workstations losing trust

PVS images sometimes lose their trust relationship because the AD machine account password has expired and it therefore can't contact the domain any more. That's the only time I tend to see it occurring regularly, although there may be many other reasons I am unaware of.

On 2 October 2014 10:55, David McSpadden <dav...@imcu.com <mailto:dav...@imcu.com>> wrote:

Why does this happen?

I get them rejoined but why do they lose their trust relationship in the first place?

Sent from my iPhone

This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited.

Please consider the environment before printing this email.




--

*James Rankin*
---------------------

RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization

http://appsensebigot.blogspot.co.uk

This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited.

Please consider the environment before printing this email.