Summary
In some cases workstations running Deep Freeze may lose connection to the domain and be unable to logon until re-joined to the domain.
Background
When computers are configured to use Active Directory a computer account and password are created in the Active Directory database that allow that workstation to communicate securely with the domain. This computer account will by default have its password updated on a periodic basis depending on how the users have configured the domain. In the case of a computer running Deep Freeze changes to this password cannot be retained on the local machine and after a reboot the computer may not be able to authenticate against the domain. This will commonly show up as an error that the Trust Relationship between the domain controller and the workstation has failed.
Solutions
There are two approaches to this issue,
Allow Deep Freeze to manage password changes.
Deep Freeze 7.6 and higher have provisions to manage the changes to the secure channel passwords on the workstations. The software will suppress the password changes on the workstation side until the workstation enters a thawed state, once the computer is thawed the password will be changed and cached on the local workstation.
This feature will require that workstations be thawed on a periodic basis to ensure that the changes can be retained across future reboots. This can be done as part of the normal scheduled update cycle for Windows updates or other 3rd party product updates and will happen in the background provided that the option to manage secure channel password updates is selected.
This option is found in the Configuration Administrator on the Advanced Options tab as “Manage Secure Channel Password” and is enabled by default.’
Please Note: This setting may not be effective if you have a policy on your domain controller that forces the passwords to expire after a set period of time. If this is the case machines must be thawed frequently enough to ensure that passwords can update before they become invalid.
Disable the machine account password changes.
It is possible to configure the domain controllers and the workstations to not change the passwords on the machine accounts. As the password changes can be called for on both the domain controller or the client these settings will have to be changed on both the client computers and the domain controller.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Name: RefusePasswordChange
Type: REG_DWORD
Value: 1
You can also extend the number of days between changes by applying to domain controllers and workstations.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Name: MaximumPasswordAge
Type: REG_DWORD
Value: #days up to 1,000,000
These can also be configured in the group policy editor (local or domain) under;
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
- Domain member: Disable machine account password changes
- Domain Member: Maximum age for machine account password
While these settings may resolve the issues with workstations falling off the domain they will effectively make the workstations account passwords static. This approach is not recommended if the machine accounts in Active Directory are being used to assign rights to network resources or to restrict access to systems as this may allow a malicious user to impersonate a workstation on the network to gain access to those resources.
OSX Workstations
Workstations running OSX that are configured to authenticate against Active Directory can experience the same type of issue. To resolve this issue the OSX workstations will need to be configured to not update the secure channel password. The process for changing this setting is below:
1) If the client is not bound to Active Directory, bind it before continuing.
2) Log into the client Mac as an administrator.
3) Open Terminal (located in /Applications/Utilities).
4) Execute the following command to require a password change after X days (where X is the number of days, such as 30):
5) Enter your administrator password to confirm the change.
6) Bind the client to Active Directory.
Taken from: http://support.apple.com/kb/HT3422