“Disable machine account password changes” Group Policy setting - when should it be enabled?
I am setting up a test environment on Amazon Web Services comprising 2 web servers, 1 database server and 1 domain controller. All of them are Windows Server 2012 and joined to the domain. Occasionally, the member servers have been randomly throwing the error the trust relationship between this workstation and the primary domain failed
. I am able to fix this problem by doing a local login on the offending computer and then executing the PowerShell command Reset-ComputerMachinePassword
. No problems after that.
However, I am wondering if the root cause of the problem is because the Group Policy setting "disable machine account password changes" is currently disabled and therefore is forcing me to manually reset the machine password.
Should I enable this policy and what would be the consequences if I were to enable this policy?
The "Maximum machine account password age" setting has a value 30 days.
Solution 1:
The disable machine account password changes setting should almost never be enabled. It determines whether a domain computer periodically changes its computer account password, based on the maximum machine password age setting.
The Microsoft description of this setting from the linked Technet documentation:
The Domain member: Disable machine account password changes policy setting determines whether a domain member periodically changes its computer account password. Setting its value to Enabled prevents the domain member from changing the computer account password. Setting it to Disabled allows the domain member to change the computer account password as specified by the value of the Domain member: Maximum machine account password age policy setting, which is every 30 days by default.
The default configuration for computers running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. Disabling this feature causes computers that are running these operating systems to retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk of a malicious user determining the password for the system's domain account.
The Microsoft best practices for this setting from the linked Technet documentation:
Do not enable this policy setting. Computer account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
Do not use this policy setting in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile prebuilt computers that are put into production months later; those computers do not have to be rejoined to the domain.
As stated, this setting was created to allow organizations to prebuild machines and put them into production after the maximum machine account password age, without resulting in the failed trust relationship error you're getting.
That particular error is generated because the machine account password on the domain controller does not match the machine account password that the machine has stored locally, or because the machine account password has exceeded the maximum age setting, which means it is expired.
Generally, the machine account password expiring is caused when the machine throwing the error and the domain controller are unable to communicate within the maximum machine account password age time, or are unable to do so securely. The machine account password mismatch happens if, for example, you join a 2nd computer to a domain with an existing name - the machine account gets overwritten, and a new machine account password is created, so the 1st computer no longer has the proper machine account password to authenticate.
In your specific case, my first suspicion would be that a firewall is blocking the Active Directory traffic between the domain controller and the computer that keeps generating this error, specifically the traffic where the domain controller and the machine synchronize the password when a new one is generated. It's also a distinct possibility that the machine is throwing errors when trying to create that secure communication channel, or even that it's erorring out when trying to automatically update its machine account password. In any case, you should be able to determine what the problem is by looking at the event logs on this machine and the domain controller. You're looking for errors establishing connections between the two servers, and for any errors thrown by any of the security subsystems on either machine to pinpoint the exact cause of this problem.