Help

Active Directory Domain member - Computer-Account: Maximum machine account password age

Go to solution
michaelhusar
Contributor II

Posted on ‎12-02-2014 07:38 AM

All Macs are bound to our AD (Windows2012R2) by Casper (9.61)
I see some Mavericks clients loosing the ability to contact the AD. Error Message is like "Cannot contact the Domain Controller". Rebinding helps. But what's the cause? I am suspecting the default 30 days windows policy setting for the maximum allowable age for a computer account password: http://technet.microsoft.com/en-us/library/jj852252(v=ws.10).aspx
Did anyone investigate that further? Or is it irrelevant for OSX ?
Thanx a lot!

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
calumhunter
Valued Contributor

Posted on ‎12-02-2014 03:00 PM

Have a chat to your AD admin. Perhaps they have a policy of removing machines from AD or disabling them if they have not updated their machine password in x days.
Do you have any read only domain controllers?

View solution in original post

0 Kudos

Go to solution
davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎12-02-2014 04:02 PM

In the past I have set this to 0 on the client side (dsconfigad -passinterval 0) particularly for laptop users who were out of the office (and out of contact from a DC) for extended periods of time.

As Calum says, it is really a question for your AD admin, although I've never heard of anyone changing this value on the Windows server side.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
calumhunter
Valued Contributor

Posted on ‎12-02-2014 03:00 PM

Have a chat to your AD admin. Perhaps they have a policy of removing machines from AD or disabling them if they have not updated their machine password in x days.
Do you have any read only domain controllers?

0 Kudos

Go to solution
davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎12-02-2014 04:02 PM

In the past I have set this to 0 on the client side (dsconfigad -passinterval 0) particularly for laptop users who were out of the office (and out of contact from a DC) for extended periods of time.

As Calum says, it is really a question for your AD admin, although I've never heard of anyone changing this value on the Windows server side.

0 Kudos

Go to solution
michaelhusar
Contributor II

Posted on ‎12-03-2014 01:18 AM

Thanx a lot. You were both right - awesome! There is a GPO on the Windows-side that did "clean" up. And of course the 14 days set for password interval were to short for the laptop users! Thank you!

0 Kudos