It is possible to query the domain for this, the script below will tell you when a particular machine's domain password was last reset.
'Replace "yourdom.com" with your domain name.
DomainName = "yourdom.com"
querymachine = UCase(inputbox("Enter full machine name"))
lngBias = 2
'****************Setup Log file******************************************************
Set fso = CreateObject("Scripting.FileSystemObject")
'The 8 in this line will append to an existing file, replace with a 2 to override
set txtStream = fso.OpenTextFile("System.txt", 8, True)
txtStream.WriteLine "Ran on " & Date & " *******************************"
'****************Setup ADSI connection and populate ADSI Collection******************
Set objADOconnADSI = CreateObject("ADODB.Connection")
objADOconnADSI.Open "Provider=ADsDSOObject;"
Set objCommandADSI = CreateObject("ADODB.Command")
objCommandADSI.ActiveConnection = objADOconnADSI
'there is a 1000 object default if these next 2 lines are omited.
objCommandADSI.Properties("Size Limit")= 100000
objCommandADSI.Properties("Page Size")= 100000
objCommandADSI.Properties("Sort on") = "sAMAccountName"
objCommandADSI.CommandText = "<LDAP://" & DomainName & ">;(objectClass=computer);sAMAccountName,pwdLastSet,name,distinguishedname,operatingSystem;subtree"
Set objRSADSI = objCommandADSI.Execute
'Loop through record set and compare machine name*************************************
do while NOT objRSADSI.EOF
if not isnull(objRSADSI.Fields("distinguishedname")) and objRSADSI.Fields("distinguishedname") <> "" then
objDate = objRSADSI.Fields("PwdLastSet")
'Go to function to make sense of the PwdLastSet value from AD for the machine account.
dtmPwdLastSet = Integer8Date(objDate, lngBias)
'calculate the current age of the password.
DiffADate = DateDiff("d", dtmPwdLastSet, Now)
'Is the machine the one we're looking for?
if UCase(objRSADSI.Fields("name")) = querymachine then
txtStream.WriteLine objRSADSI.Fields("name") & ";" & dtmPwdLastSet & ";" & DiffADate & ";" & objRSADSI.Fields("operatingSystem")
wscript.echo objRSADSI.Fields("name") & ", Last set: " & dtmPwdLastSet & ", Days since last change: " & DiffADate
end if
end if
objRSADSI.MoveNext
loop
wscript.echo "Done!"
Function Integer8Date(objDate, lngBias)
' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objdate.LowPart
' Account for bug in IADslargeInteger property methods.
If lngLow < 0 Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
Integer8Date = CDate(lngDate)
End Function
(I'd love to give credit for the above script but it's been handed around from person to person and modified in various ways, I have no idea where it originally came from)
Save this as something like MachinePasswordDate.vbs, doubleclicking the file in Windows should pop up a box you can put a machine name into, which should then query the domain and tell you when that machine's password was last changed.
If you're regularly restoring virtual machine snapshots it might be worth having a look at the security policies on those machines before you save off an image. You can change the machine password reset interval up to 999 days quite easily, assuming your domain GPOs won't override it, and your security policy allows this sort of thing:
Click Start, click Run, type Gpedit.msc, and then press ENTER.
Expand Local Computer Policy, Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.
Configure the following settings:
Domain Member: Disable machine account password changes (Enabled)
Domain Member: Maximum machine account password age (999 days)
Domain Controller: Refuse machine account password changes (Enabled)
Best Answer
The disable machine account password changes setting should almost never be enabled. It determines whether a domain computer periodically changes its computer account password, based on the maximum machine password age setting.
The Microsoft description of this setting from the linked Technet documentation:
The Microsoft best practices for this setting from the linked Technet documentation:
As stated, this setting was created to allow organizations to prebuild machines and put them into production after the maximum machine account password age, without resulting in the failed trust relationship error you're getting.
That particular error is generated because the machine account password on the domain controller does not match the machine account password that the machine has stored locally, or because the machine account password has exceeded the maximum age setting, which means it is expired.
Generally, the machine account password expiring is caused when the machine throwing the error and the domain controller are unable to communicate within the maximum machine account password age time, or are unable to do so securely. The machine account password mismatch happens if, for example, you join a 2nd computer to a domain with an existing name - the machine account gets overwritten, and a new machine account password is created, so the 1st computer no longer has the proper machine account password to authenticate.
In your specific case, my first suspicion would be that a firewall is blocking the Active Directory traffic between the domain controller and the computer that keeps generating this error, specifically the traffic where the domain controller and the machine synchronize the password when a new one is generated. It's also a distinct possibility that the machine is throwing errors when trying to create that secure communication channel, or even that it's erorring out when trying to automatically update its machine account password. In any case, you should be able to determine what the problem is by looking at the event logs on this machine and the domain controller. You're looking for errors establishing connections between the two servers, and for any errors thrown by any of the security subsystems on either machine to pinpoint the exact cause of this problem.