Automatically refresh credential after password change

Lets say we have around 300 Windows XP machines on our ActiveDirectory domain that are used for processing something. Each has an account which is patterned on the machines name. As these are treated as normal domain accounts, they are subject to the monthly password change requirements.

We have techs who go through and change the passwords each month, but this is tedious, error-prone, and time consuming. In an effort to make it better, I am going to start changing the passwords on the 300+ accounts programatically.

This, however, presents a problem. The machines are logged on as the user accounts we are changing, and by default do not update the cached credentials, which eventually will lock the account out when it tries accessing locations on the network.

Is there any way to update the cached credentials on a machine without locking/logging? Perhaps a Policy setting?

created on 26.09.2011 - 19:30:01 by CodeWarrior, updated on 09.02.2018 - 10:08:25.

If the XP boxes have been joined to the domain then there is already a machine account for each one. It is maintained by Windows and AD without you having to do anything special. It never expires and works after reboot and without anyone having to log in.

Rather than creating an account per machine matching the machine name why not just rig your job to run as "NT Authority\NetworkService" (FireDaemon works great when you need to turn a program into a service) and let it take care of itself? All you need to do is permit those machines on the other end by adding accounts in the form DOMAIN\MACHINENAME$.

answered on 29.09.2011 - 20:34:27 by Mark.
You can avoid this by logging off the accounts after the password change.
commented on 05.03.2017 - 18:36:19 by Bill_Stewart.
Yeah. I have worked with ActiveDirectory objects quite a bit in .NET, but that doesn't really touch the workstation's cached credentials, except inasmuch that the account in AD no longer matches the workstations... Never messed around much with Windows scripting or anything like that. This will be a bit of a learning experience.
commented on 27.09.2011 - 15:46:41 by CodeWarrior.
What you basically need is an answer to the question on how to change the user's own password from within the user's context by script. I've bountied the question, let's see if something comes up in the end.
commented on 27.09.2011 - 10:11:44 by the-wabbit.
You'll hit the "Window needs your new credentials" any time you don't logon/lock-unlock after the user's password changes. I was thinking, if the users-to-XP-machines is a 1:1 mapping, a portion of the "password change" process could incorporate an auto-logon/reboot using the new credentials. This wouldn't involve any hands-on work, just additional scripting.
commented on 27.09.2011 - 03:10:00 by jscott.
If, after doing that, I change the password a month later, is there the likely hood that I will have to do it again, or that I will be presented with the "Window needs your new credentials" or whatever? If so, then it wont work for me. Really I am looking for a way to change passwords on 300 plus accounts that are currently logged in without having anyone do anything besides myself running the password change program I have written.
commented on 27.09.2011 - 02:57:49 by CodeWarrior.
I suppose that configuring auto-logon (with new credentials), rebooting, then disabling auto-logon, is out of the question.
commented on 27.09.2011 - 02:06:02 by jscott.
This Article is based on the Article Automatically refresh credential after password change and is licensed under Creative Commons CC-BY-SA 3.0. Article was created by CodeWarrior.