Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote:>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill. >> So, it sounds like restores of the VM work "fine.">> How often do machine accounts reset their passwords?Rpvs> Every 30 days, though this is adjustable, but not recommended>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.]>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation.Rpvs> You do know that a computer is a user with an extra objectclass ? Rpvs> Rowland Yeah, I do know that. But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up? It feels like Bystander: "Hey drowning man, there's a way you don't have to drown, you know!" Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!" Bystander "I just wanted you to know 'bout my technical superiority!" Drowning man: "Can I drown now?" :) -Greg
On 14/07/2020 17:25, Gregory Sloop via samba wrote:> > Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote: >>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill. >>> So, it sounds like restores of the VM work "fine." >>> How often do machine accounts reset their passwords? > Rpvs> Every 30 days, though this is adjustable, but not recommended >>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.] >>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation. > Rpvs> You do know that a computer is a user with an extra objectclass ? > > Rpvs> Rowland > > > Yeah, I do know that. > But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up? > > It feels like > Bystander: "Hey drowning man, there's a way you don't have to drown, you know!" > Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!" > Bystander "I just wanted you to know 'bout my technical superiority!" > Drowning man: "Can I drown now?" > :) > > -GregHey 'Drowning man': samba-tool user setpassword computer_name$ --random-password This will work, but I don't recommend doing it, Samba will change the password every 30 days. Rowland
Rpvs> On 14/07/2020 17:25, Gregory Sloop via samba wrote:>> Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote: >>>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill. >>>> So, it sounds like restores of the VM work "fine." >>>> How often do machine accounts reset their passwords? >> Rpvs> Every 30 days, though this is adjustable, but not recommended >>>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.] >>>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation. >> Rpvs> You do know that a computer is a user with an extra objectclass ?>> Rpvs> Rowland>> Yeah, I do know that. >> But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up?>> It feels like >> Bystander: "Hey drowning man, there's a way you don't have to drown, you know!" >> Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!" >> Bystander "I just wanted you to know 'bout my technical superiority!" >> Drowning man: "Can I drown now?" >> :)>> -GregRpvs> Hey 'Drowning man': Rpvs> samba-tool user setpassword computer_name$ --random-password So, you're telling me that if I restore an AD (VM) to a prior point (lets say from a backup from a week ago), *after* the computer account has changed it's password, I can simply do "samba-tool user setpassword computer_name$ --random-password" and then that Windows station will be able to connect again, without needing to rejoin the domain? [And thus, keep the same user profile as before, etc.] If true, that's pretty cool. Rpvs> This will work, but I don't recommend doing it, Samba will change the Rpvs> password every 30 days. Yes, but I wouldn't be needing to do this, except in the case of my hypothetical disaster where I need to restore the AD domain from a backup from before - and now the computer account on the PC doesn't match the computer account in AD. Rpvs> Rowland -Greg