Disabling automatic password change for nonpersistent desktops

Disabling automatic password change for nonpersistent desktops

book

Article ID: CTX231620

calendar_today

Updated On:

Description

Computers use their machine account password for authentication with Active Directory. By default, computers are configured to change their machine account passwords every 30 days.  This setting affects nonpersistent desktops in the following ways:

  1. When you deploy the nonpersistent desktop, the pristine snapshot of the desktop contains the original password.
  2. After 30 days, the machine account password automatically changes.
  3. Active Directory accepts the new password for authentication.
  4. When you restart the nonpersistent desktop, it reverts to the pristine snapshot which contains the original password.
  5. Authentication with Active Directory fails because the pristine snapshot does not contain the new machine account password.

If a problem occurs that is related to the password change, users are likely to see an error message similar to the following one when they try to log in to the desktop:

The trust relationship between this workstation and the primary domain failed

Instructions

Avoiding issues related to the machine account password change

To avoid this issue, disable the automatic password change, as follows:

  1. On the Operating System layer that you plan to use for nonpersistent desktops, open the Registry editor.
  2. Navigate to the following key:
    HKLM\System\CurrentControlSet\services\Netlogon\Parameters
  3. Change the value of DisablePasswordChange to 1.
  4. Assign this Operating System layer to the nonpersistent desktops.
Note that App Layering put this key into the registry during image creation.  
If you're still seeing this, check to see if you have a GPO that might be overriding the registry setting.

Powered by Wolken Software