Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
Each computer account has a password that must match a password stored in Active Directory. If the two passwords do not match, Active Directory cannot authenticate the computer. If this occurs, the computer account password must be reset by a system administrator. Resetting the password returns both the password stored on the computer and the password stored in Active Directory to the default value, and enables the computer to be authenticated.
When a computer account is created, the passwords for both the account and the secure channel (a special communication channel used to communicate with a domain controller) are set to
Although these passwords generally match, certain situations can cause them to differ. For example, Active Directory replication problems might cause one of the passwords to be changed but not the other one. Or, a computer might be offline for an extended period of time. During that time, the Active Directory password might have been changed; with the computer offline, however, the local password could not have been changed accordingly. In either case, Active Directory would be unable to authenticate the computer and the user unable to log on to the network. Instead, a user attempting to log on would be presented with the following error message:
The session setup from the computer DomainMember failed to authenticate. The name of the account referenced in the security database is DomainMember$. The following error occurred: Access is denied.
If this occurs, a system administrator must reset the password for the computer account, which can be done using the ADSI IADsUser interface.
Listing 9.9 contains a script that resets a computer account password. To carry out this task, the script must perform the following steps:
Listing 9.9 Resetting a Computer Account Password
|
|
Send us your feedback | « Previous | Next » |