Citrix Provisioning

Managing domain passwords

When target devices access their own vDisk in Private Image mode, there are no special requirements for managing domain passwords. However, when a target device accesses a vDisk in Standard Image mode, the Provisioning Server assigns the target device its name. If the target device is a domain member, the name and password assigned by Provisioning Server must match the information in the corresponding computer account within the domain. Otherwise, the target device is not able to log on successfully. For this reason, the Provisioning Server must manage the domain passwords for target devices that share a vDisk.

To enable domain password management you must disable the Active Directory-(or NT 4.0 Domain) controlled automatic re-negotiation of machine passwords. This is done by enabling the Disable machine account password changes security policy at either the domain or target-device level. Provisioning Server provides equivalent functionality through its own Automatic Password Renegotiate feature.

While target devices booting from vDisks no longer require Active Directory password renegotiation, configuring a policy to disable password changes at the domain level applies to any domain members booting from local hard drives. This may not be desirable. A better option is to disable machine account password changes at the local level. To do this, select the Optimize option when building a vDisk image. The setting will then be applied to any target devices that boot from the shared vDisk image.

Note: The Provisioning Server does not in any way change or extend the Active Directory schema. Provisioning Server’s function is to create or modify computer accounts in Active Directory, and reset passwords.

When domain password management is enabled, it:

  • Sets a unique password for a target device.
  • Stores that password in the respective domain computer account.
  • Gives the information necessary to reset the password at the target device before it logs on to the domain.

Password Management Process

Password validation process with Active Directory

With password management enabled, the domain password validation process includes:

  • Creating a machine account in the database for a target device, then assign a password to the account.
  • Providing an account name to a target device using the Streaming Service.
  • Having the domain controller validate the password provided by the target device.
Managing domain passwords