Machine account password procedure

Giganews Newsgroups
Subject: Machine account password procedure
Posted by:  Sam P (Sa…
Date: Wed, 23 Jan 2008

Background: I am trying to diagnose a problem with laptops which are
connecting wirelessly via a PEAP setup and authenticating against IAS. This
uses the computer's account in AD to authenticate the PC. For the most part,
this works very well, but occasionally some laptops refuse to connect
wirelessly and need to be plugged in on the wire (only once) and they will
then work again. There is no security set up on the wired connection. This
seems to happen if the laptop hasn't been used in a while (weeks).

Clients (laptops) are XP Pro SP2; Servers are WS2003 SP2; Domain is at
WS2003 functional level

Hypothesis: I suspect this problem may be due to the computer account
expiring (currently it's at the default 30 days) and the computer refusing to
use the current password to authenticate to our RADIUS (IAS) server, but
being unable to change it without a working network connection. From what
I've read, the computer is in charge of determining when that 30 days is up
rather than the DC. My question is: does the computer wait until after the 30
days are up and then change its password, or does it change it at some point
before the 30 days are up (a la DHCP leases)?

If it only changes the password *after* the 30 days are up, then the cause
of the problem probably lies elsewhere. Unfortunately I can't find any
documentation which goes into sufficient detail to help me.