Windows 2003 and newer will regularly change their AD computer password. This can be troublesome if you ever have to restore a server from backup since the computer passwords can be out of sync and prevent the server from logging into the domain. While there are way to fix it after the fact, the only foolproof way to do it is removing the server from the domain and adding it back in, something which can cause all sorts of other problems.
Personally, unless there is a compelling security reason not to, I disable computer password changes on my servers. It can make a stressful situation (restoring a server) from becoming even more stressful. To do so open the registry and navigate to and change DisablePasswordChange to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
No comments:
Post a Comment