+ Post New Thread
Results 1 to 11 of 11
Windows 7 Thread, disable computer password change to avoid "trust relationship" error when logging in in Technical; Not sure quite where to post this as it relates to Win 7 but also to AD. Here's the situation, ...
  1. #1
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14

    disable computer password change to avoid "trust relationship" error when logging in

    Not sure quite where to post this as it relates to Win 7 but also to AD.

    Here's the situation, some of our machines on Win 7 will have trust relationship issues with the domain servers from time to time. This is mainly coming from our non-wired units. The time consuming fix right now is to connect them to a switch every week or two and force policy updates, etc. I've just stumbled across a MS kb article about disabling automatic machine account password changes (concerning sharing a computer account for a dual-boot machine, but that's another story) and was curious if anyone else ran across this similar issue that denies active user accounts access due to the trust relationship and if this machine password change would fix this?

    FYI, the article

    many thanks

  2. #2


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,516
    Thank Post
    227
    Thanked 848 Times in 727 Posts
    Rep Power
    287
    it jusually means that the startup repair wizard has been run at bootup and rolled the pc back to a time before the password is auto changed. Try running this on affected pcs
    Code:
    if exist c:\nsr.txt goto end
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    copy "\\server\NETLOGON\distribute\disablestartuprepair.bat" "c:\nsr.txt" /y
    :end
    dosent remove the wizzard if you ever want to use it but stops it coming up unless requested

  3. #3
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,777
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    This happens a lot on our laptops (as they are rarely shutdown properly) I'm still amazed you can restore a laptop without any permissions?! Pupils do this out of confusion they just keep hitting the yes prompts, having no understanding of what is going on. ((Teachers let them and only call us when it's 20 minutes into a restore, then look at me like it's my fault.))

    is their a GPP way of doing the above? EDIT also you have the startup script refers to a BAT file you've not included?
    Last edited by chazzy2501; 4th July 2013 at 08:29 AM.

  4. #4


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,516
    Thank Post
    227
    Thanked 848 Times in 727 Posts
    Rep Power
    287
    that is a batch file i set as a startup item once its run once it dosent need to be run again so startup or shutdown scripts are fine

  5. #5
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    Thanks for the info but I believe we are getting away from the question.

    Will disabling the automatic password change using a regedit pushed through gpo prevent the trust relationship issue from occurring? Accepting your premise that it is caused due to a rollback during startup repair, would not disabling the password change in the first place prevent the error because the password pre-rollback and post-rollback would be the same?

  6. #6

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,053
    Thank Post
    1,319
    Thanked 2,310 Times in 1,624 Posts
    Rep Power
    692
    This is becoming the bane of my life and I could really do with a helping hand- I get trust relationship issues on about 10 different machines a week.Windows 7, Server 2008R2

  7. #7

    Join Date
    Sep 2011
    Posts
    63
    Thank Post
    9
    Thanked 8 Times in 8 Posts
    Rep Power
    14
    Hi guys,
    I have read about this else where but have yet to implement it on my network due to being busy with helpdesk + windows 8.
    There is a command line utility called "NETDOM". There is a function within that to reset the computer account.

    What you can do to create a quick fix is to set it as a login item for a local admin account. that way its fixed after login then restart.

    Sorry if I have got the wrong jist of what is happening here but I believe I am right in thinking this.

  8. #8

    Join Date
    Jun 2008
    Location
    Dawlish/Teignmouth
    Posts
    261
    Thank Post
    45
    Thanked 38 Times in 37 Posts
    Rep Power
    20
    I applied the registry "workaround" in that KB article to a room which for weeks, was getting said domain trust relationship error. It has stopped as a result which I'm over the moon about. The KB article indeed mentions security risks which I'm not overly happy about exposing the PCs to, but at least it's stopped the constant emails and calls about why the PCs are having marital problems.

  9. #9

    Join Date
    Sep 2011
    Posts
    63
    Thank Post
    9
    Thanked 8 Times in 8 Posts
    Rep Power
    14
    Cool glad to hear.
    netdom.exe resetpwd /s:<domain controller name> /ud:<username> /pd:*

    The * will prompt so if you want it as a login item for local admin account youll need to make sure you set permisssions on the script so that only local admin can see and no one else ass youd possibly need a clear text passwd. Alt you could use powershell credential object. idk but that's it. if it helps =]

  10. #10


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,516
    Thank Post
    227
    Thanked 848 Times in 727 Posts
    Rep Power
    287
    there is a gpo policy somewhere so computers passwords don't time out but ive not had an issue since I disabled startup repair

  11. #11
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    789
    Thank Post
    79
    Thanked 129 Times in 112 Posts
    Blog Entries
    8
    Rep Power
    31
    Machine password changes by default every 30 days. Being away from the network longer than that doesn't break the trust though; the computer would simply give AD the same expired password and as long as it matches the one AD has everything is fine and it will be renewed. The problem as stated earlier is if the computer ran start-up repair and restored a snapshot from before the password changed. The next time it checks in with a domain controller the DC will see the passwords don't match and you'll get the error. There is two things you can do: either you can change it so the password never expires, or disable system restore. I chose to disable system restore in my base image, but if you wanted change the password expiration policy you can find it here:

    Code:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Disable machine account password changes
    Microsoft doesn't recommend using this policy though. And if memory serves when you change this it will force one last password change.

    I hope this helps...

SHARE:
+ Post New Thread

Similar Threads

  1. CC3 to Vanilla Network. Last Stages, Error message when logging in.
    By Richings110 in forum Network and Classroom Management
    Replies: 12
    Last Post: 5th July 2013, 01:07 PM
  2. Replies: 6
    Last Post: 16th October 2010, 09:49 AM
  3. ISA error 64 logging in to webpages
    By MK-2 in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 3rd June 2010, 11:40 AM
  4. [CLOSED] Bug/Error: Homepage redirects to unavalible page when log in in cached
    By SYNACK in forum EduGeek.net Site Problems
    Replies: 5
    Last Post: 20th March 2008, 05:24 AM
  5. Replies: 5
    Last Post: 21st February 2007, 04:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •