deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

New content added

Browse Source
This commit is contained in:
Teresa-Motiv 2019-06-21 15:19:55 -07:00
parent c318aed2fc
commit e2ee2e7797
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
View File

@ -38,8 +38,19 @@ Verify that the **Domain member: Disable machine account password changes** opti
### Best practices ### Best practices
1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. 1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain. 2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
There might be situations where you may think about using the setting, like:
* Non-persistent VDI domain members that are rolled back to the base image after each invocation. An updated password would be lost on roll-back.
* Embedded devices that have write access to the OS volume disabled. So an updated password would not be persisted.
For both situations in case you are using this approach, we would strongly suggest to plan for a password change when using the setting and configure the deployment to retain this updated OS image or, in the embedded scenario, allow the write to the OS volume. To facilitate the update to the machine account password locally, trigger the update using this command:
```
Nltest /sc_change_pwd:<AD domain name>
```
### Location ### Location