We are on a Windows Server 2008 R2 domain (planning to upgrade to 2016) and have recently starting having trouble with the local admin account losing its password and, more recently, disappearing altogether. We also have a GPO policy that enforces the default admin account to have "Password never expires" and "User cannot change password" enabled.
Starting with Windows 10 Creators Update (1703), I started finding computers where the local admin account had no password. At first, this escaped my notice, thinking that I somehow neglected to give it a password, but I started noticing it more often and realized it wasn't just me spacing off on a repetitive task (besides, standard Windows setup walks you through that step, so it would take extra effort to skip it). The common thread is that these were machines that were originally setup with a fresh install of Windows 10 1703--machines that were upgraded from an earlier edition to 1703 are not having this issue. Now I am starting to set up machines with Fall Creators Update (1709) and there is a new twist: it may also delete the local admin with or without also obliterating its user folders as well.
In my third re-install of 1709 on a particular machine, I took careful notice of what was happening and when. When you first install 1709, the primary user (we set up as default local admin) account and password is fine. Upon joining to 2008 R2 domain, the password disappears and the machine will not allow you to check BOTH "user cannot change pwd" and "pwd never expires," giving a message that "This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon." Having re-entered the password and leaving "User cannot change pwd" UN-checked, everything seems fine. It appears that it's specifically the "User cannot change password" that creates the conflict. The biggest problem is that the password gets erased or the account gets annihilated without any notice whatsoever.
Has anyone seen this and have a solution? What changed in 1703/1709 that may be causing a conflict? Is it just the combination of Server 2008 R2 and Win10 1703 and later?
No comments:
Post a Comment