VMware Horizon View – Maximum machine account password age

Have you ever had situation where you get the message “the trust relationship between this workstation and the primary domain failed” when you try to logon to a Windows machine?

trust_relationship_failed

This situation happens when there is a “password mismatch”. Typically passwords are being thought of as something related to a user account, but in Active Directory environments each computer account also has an internal password, which by default, is configured to change every 30 days.

The problem can be fixed in the following ways:

  • Re-establish the trust relationship between Active Directory and the workstation by rejoining the computer account to the domain.
  • Resetting the computer account in Active Directory.
  • Changing the computer machine password using netdom:
    • netdom resetpwd /s:fqdn_AD_server /ud:domain\user /pd:*
  • Changing the computer machine password through a powershell command
    • Reset-ComputerMachinePassword -Credential domain\user -Server fqdn_AD_server

It is good to know how to fix the problem, but it is even better to know how to avoid the problem. You can avoid the problem by doing one of the following:

  • Changing the default 30-day password change interval within Active Directory by changing the value of the group policy “Domain member: Maximum machine account password age
  • Disabling the password change interval within Active Directory by enabling the group policy “Domain member: Disable machine account password change

Be aware however that Increasing this default 30-day interval significantly, or setting it to 0 so that the computers no longer change their passwords, or disabling the password change all together gives a malicious user more time to undertake a brute-force password-guessing attack against one of the computer accounts.

Therefore, I suggest to change this Group Policy not on the default group policy object, but only on the group policy object related to your VMware Horizon linked clone VMs and the golden templates you use to construct these linked clone VMs.

The policy setting is located at GPO_name\Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

gpo_domain_password

 

References:

VMware KB 2084433

Microsoft KB 162797

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.