Computer Account Administration

By ServerWatch Staff (Send Email)
Posted Jun 6, 2001

by Marcin Policht Marcin Policht's latest article presents different ways of managing secure channel communication between domain members and domain controllers. An added bonus in the article is a script that automates the deletion of inactive computer accounts.

Even though computer accounts are treated similarly to user accounts, there are several significant differences. When a computer becomes a member of a domain, its name is registered with the primary domain controller with the trailing "$". This also becomes its initial password. Based on this password, Windows establishes a "secure channel", used for encrypting communication between a domain member and domain controllers. This password gets reset (typically within 10 minutes) by Netlogon service, which, from this point on, changes it, by default, every 7 days. Netlogon also maintains the passwords used for verifying trust relationships between two NT domains (although in this case, the initial password is determined by administrators who initiate the process). This process, however, does not apply to primary and backup domain controllers. Their passwords do not change once they are installed in the domain.

Password changes cause additional replication traffic and might create problems in environments where machines tend to be off the network for a period longer than 7 days. Replicating password changes of domain members between domain controllers is fairly important, since the machine account password is checked against any domain controller (the first one to respond). In case the password is different from the one stored locally on this domain controller, the workstation is denied access to the domain. In Windows 2000, this behavior is changed to match the process of password verification for user accounts. The authenticating domain controller will always verify its local account information with the PDC emulator in case of the password failure.

A workstation might also lose it domain membership status if:
- the proper procedure has not been followed when changing the workstation name. The workstation should be taken out of the domain, its name should be changed, and after the reboot, the workstation should be added back to the domain. The last step needs to be followed by the reboot,
- the reboot of the computer after switching from one domain to another did not take place within 10 minutes. Netlogon service resets the password for the secure channel with the old domain, if the machine has not been restarted,
- machine went through recovery process using Emergency Repair Disk involving SAM restore and the restored information was outdated,
- the machine account was removed from the SAM database on the primary domain controller.

One of the options you have in order to eliminate these problems is disabling computer account password changes. This is done by modifying the registry entry RefusePasswordChange of the type REG_DWORD to 1 within the key: < BR > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

on all of the domain controllers in the domain. The procedure should be applied first to all the backup domain controllers and finally to the one serving as the primary. A side benefit of this change is ability to setup a dual boot machine with each installation using the same domain machine account.

In case you consider disabling machine accounts passwords changes to be too drastic, you have a couple of other recourses. The procedure for testing and resetting secure channel depends on whether you operate in Windows NT or Windows 2000 environment.

In Windows NT 4.0 environment, you can use:

- NLTEST.EXE provided with the original release of the Windows NT 4.0 Resource Kit to verify trust relationships. The tool can be used to test both trust relationships (between trusted and trusting domains, between domain controllers, between domain members and domain controllers) and secure channels. Options offered by NLTEST are described in the Technet Article Q158148.

- NETDOM.EXE Windows NT 4.0 version- provided with Windows NT 4.0 Resource Kit supplement 2 and 3 and hotfixed to the version 1.8 (after the version 1.7 was broken by the Windows NT Service Pack 4). Windows 2000 version of NETDOM does not work with Windows NT 4.0 systems. Using /JOINDOMAIN option resets the Secure Channel and revalidates the machine account.

- a script written in VBScript (or JScript) with WinNT ADSI provider. The script takes advantage of the fact that the initial computer password is identical to its account name registered with the primary domain controller (consisting of the computer name with the "$" suffix):

Dim objComputer
Dim strDomain
Dim strComputer

strDomain = "MyDomain"
strComputer = "MyComputer"
Set objComputer = GetObject("WinNT://" & strDomain & "/" & strComputer & "$")
objComputer.SetPassword strComputer & "$"

If you operate in Windows 2000 environment, you can follow procedures described in the Technet article Q216393. In short, it can be done using one of the following approaches:

- with Windows 2000 version of NLTEST.EXE (included on the Windows 2000 installation CD in the Support\Tools\ file), you can verify secure channel between domain member and domain controller with its /SC_QUERY option.

- Windows 2000 version of NETDOM.EXE (stored in the same location as NLTEST.EXE) offers the RESET option, which resets the secure channel when run on either a domain member or domain controller .

- Active Directory Users and Computers has a context sensitive option allowing "Reset Account" action.

- You can also use a script written in VBScript (or JScript) with LDAP ADSI provider. Just as before, the script takes advantage of the fact that the initial computer password is identical to its account name registered with the primary domain controller (consisting of the computer name with the "$" suffix):

Dim objComputer
Dim strDomain
Dim strComputer

strDomain = "MyDomain"
strComputer = "MyComputer"

Set objComputer = GetObject("LDAP://cn= " & strComputer & ",dc = " & strDomain & ",dc = com")
objComputer.SetPassword strComputer & "$"

Another, fairly common problem relating to computer accounts is the fact that they are difficult to keep track of. Unlike user accounts, they typically remain in the SAM database of domain controllers long after their original owners are reinstalled or cease to exist. Microsoft Knowledge Base article Q197478 describes procedure for detecting and removing inactive machine accounts using several batch files and NETDOM utility. The same goal can be accomplished using scripting with ADSI. 

The script presented next, first retrieves a collection of all users and computers accounts registered in the SAM database of a domain controller, then filters out computer accounts and deletes the ones with the PasswordAge property exceeding whatever value is deemed acceptable (for example 90 days - this value needs to be expressed in seconds). One very important factor you need to keep in mind is that the passwords for domain controllers are not reset on regular basis (so they are likely to satisfy the deletion criteria). The following script reads their names from a file (C:\Temp\CDList.txt) and excludes them from the list of machine accounts to delete from the domain.

Const ForReading = 1
Const ForWriting = 2  < BR >

Dim objFSO, objCompFile, objDCFile, objDomain, objComp, objNTComp 
Dim strCompFile, strDCFile 
Dim strDomain, strDCList Dim intSecInADay, intAccountAge 

strCompFile = "C:\Temp\InactivePCs.txt" 
strDCFile = "C:\Temp\DCList.txt"
strDomain = "MyDomain"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objCompFile = objFSO.OpenTextFile(strCompFile, ForWriting, TRUE)
Set objDCFile = objFSO.OpenTextFile(strDCFile, ForReading)
Set objDomain = GetObject("WinNT://" & strDomain)
objDomain.Filter = Array("Computer")
strDCList = objDCFile.ReadAll()
intSecInADay = 60 * 60 * 24
intAccountAge = 90

For Each objComp In objDomain
    Set objNTComp = GetObject("WinNT://" & strDomain & "/" & objComp.Name & "$")
    If (objNTComp.PasswordAge > intSecInADay * intAccountAge) Then
        If InStr(1, strDCList, objComp.Name, vbTextCompare) = 0 Then
             'Call objDomain.Delete("Computer", objComp.Name) 
             objCompFile.Writeline objNTComp.Name & "-- computer account has been deleted" 
        End If
End If

Make sure that you run it first with the call to the Delete method remmed out (as it appears in this sample script). Take a look at the listing generated in the file C:\Temp\IntactivePCs.txt. After you find out that the accounts to be deleted do not include any active machines, you can run the script again, this time with the the leading quote removed.

Page 1 of 1

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.