Changing password in domain controller

  • ljCharlie
  • Proficient
  • Proficient
  • ljCharlie
  • Posts: 343

Post 3+ Months Ago

Is it possible for a forest domain controller to change a child or a tree domain controller's password? Here's the situation, our Windows NT 4.0 server is a child or a tree domain controller of the campus primary domain controller or forest domain controller. Can they, campus personell, change or have any control over the administrator password of our NT 4.0 domain controller? The reason I asked this is because when I do the Ctrl+Alt+Delete and choose Change Password option, I received this error message "Unable to change the password on this account(C00000BE). Please consult your system administrator." So I did a little search on Google and I found a couple of things about the PDC having some sort of control or restrictions on our ability to change our own server. Here's an article I found in MS site http://support.microsoft.com/default.aspx?kbid=198941. I'm concern that the PDC might have some over our own server computer.

Many thanks in advance.

ljCharlie[/url]
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

i've never heard of such a thing, but that doesn't mean it doesn't
exist or isn't in place. If you found that by microsoft, then there's
all the reason you need to believe it is true IMO.
  • ljCharlie
  • Proficient
  • Proficient
  • ljCharlie
  • Posts: 343

Post 3+ Months Ago

So in your opinion, you think that the forest domain controller does have some control over the child domain controller in regard to password, correct?

Many thanks to your input.

ljCharlie
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I know for sure that NT machine passwords are set by default to change every 7 days. I know there is a registery hack listed in my NT server book where the PDC can override that for all BDC's so the password can't be changed. It's possible that the PDC Admin applied that hack. Although, I think that the intent is to make it easier on large networks to keep replication from creating too much network traffic as it tries to update all machine passwords, it stands to reason that by adding the hack it could prevent anyone from changing the password. I don't have my NT book with me, but if I can, I'll try to post the registry key tonight when I get home.
  • ljCharlie
  • Proficient
  • Proficient
  • ljCharlie
  • Posts: 343

Post 3+ Months Ago

ATNO/TW, thanks for your input. By the way, with that registry hack, the PDC admin can override my child domain controller, correct? And if that's the case, how do I prove if that's the case besides the behavior I mentioned in my first post?

ljCharlie
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Not sure lj, - I only played with NT servers for about 3 weeks, and only have a vague familiarity with them. The quick glance I took last night at my server book wasn't clear on it, and I couldn't find out anything more specific than the MS link you provided above. Just out of curiosity is there a reason you haven't asked the PDC admin about it?
  • ljCharlie
  • Proficient
  • Proficient
  • ljCharlie
  • Posts: 343

Post 3+ Months Ago

Many thanks for your effort. The reason I didn't want to ask the PDC admin about this is that perhaps they might deny it. That's why I wanted to find out if they do have that control, because we thought they will not have any control over anything besides showing that our child domain controller is part of their network which also acquires IP address from their DHCP server too.

ljCharlie
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I see - Like I said, I'll try to post what I found in my book when I get home this evening. In the meantime, you might want to run through the security policies available in poledit and see if there's anything that might be commonly available to a DC that might allow that. It's been so long since I looked, I can't remember what you can or can't do re: policies.
  • ljCharlie
  • Proficient
  • Proficient
  • ljCharlie
  • Posts: 343

Post 3+ Months Ago

Thanks!

What about running Windows 2003 server as child domain controller? What are your thoughts as far as the PDC admin can control or access the child DC computer? I guess my question is, if my server, and it doesn't matter what Windows OS it is, is a child domain of a PDC, is the PDC Admin have any control over it as far as accessing the data in that computer or any of the child DC's client computer's data? And what is the best way to prevent any chance of accessing the DC's data or its client's data if my domain controller has to be a child of a PDC?

ljCharlie
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

As far as your questions about using a Win2k3 server for your server, I really can't answer those questions. We never played with that scenario in class and I no longer deal with NT servers, so I've had no practical experience other than a classroom environment. Anyway, here's the regkey I told you about from Mark Minasi's NT Server 4, 7th Edition:

Quote:
Recall that in NT, not only users have accounts - machines have accounts, as well. An interesting side-effect of this is that while machines have passwords just like users do, machines change their passwords every seven days. Why would you care about this? Well, if you have a domain that extends over a large geographical area, with WAN links, then you might notice an otherwise inexplicable increase in WAN traffic every week or so as the PDC updates the BDCs with the new machine passwords.

TIP
Whle I don't recommend it, you can tell NT not to change passwords every seven days with a change to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Paramaters: create a key called RefusePasswordChange of type REG_WORD, and set it to 1.


As stated before, I'm really not sure if it applies to your scenario, but it's the closest thing I could find.
  • ljCharlie
  • Proficient
  • Proficient
  • ljCharlie
  • Posts: 343

Post 3+ Months Ago

Thanks! I'll keep that in mind.

ljCharlie
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

interesting ATNO -- wonder if it translates in this case...seems
like it does. :scratchhead:

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 95 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.