Active Directory Domain member - Computer-Account: Maximum machine account password age

michaelhusar
Contributor II

All Macs are bound to our AD (Windows2012R2) by Casper (9.61)
I see some Mavericks clients loosing the ability to contact the AD. Error Message is like "Cannot contact the Domain Controller". Rebinding helps. But what's the cause? I am suspecting the default 30 days windows policy setting for the maximum allowable age for a computer account password: http://technet.microsoft.com/en-us/library/jj852252(v=ws.10).aspx
Did anyone investigate that further? Or is it irrelevant for OSX ?
Thanx a lot!

2 ACCEPTED SOLUTIONS

calumhunter
Valued Contributor

Have a chat to your AD admin. Perhaps they have a policy of removing machines from AD or disabling them if they have not updated their machine password in x days.
Do you have any read only domain controllers?

View solution in original post

davidacland
Honored Contributor II

In the past I have set this to 0 on the client side (dsconfigad -passinterval 0) particularly for laptop users who were out of the office (and out of contact from a DC) for extended periods of time.

As Calum says, it is really a question for your AD admin, although I've never heard of anyone changing this value on the Windows server side.

View solution in original post

3 REPLIES 3

calumhunter
Valued Contributor

Have a chat to your AD admin. Perhaps they have a policy of removing machines from AD or disabling them if they have not updated their machine password in x days.
Do you have any read only domain controllers?

davidacland
Honored Contributor II

In the past I have set this to 0 on the client side (dsconfigad -passinterval 0) particularly for laptop users who were out of the office (and out of contact from a DC) for extended periods of time.

As Calum says, it is really a question for your AD admin, although I've never heard of anyone changing this value on the Windows server side.

michaelhusar
Contributor II

Thanx a lot. You were both right - awesome! There is a GPO on the Windows-side that did "clean" up. And of course the 14 days set for password interval were to short for the laptop users! Thank you!