[cifs-protocol] [REG:112120610062311] Questions about "Unsecure Join" (old-style join domain)

Obaid Farooqi obaidf at microsoft.com
Thu Dec 6 14:21:50 MST 2012

Hi Gordon:
Thanks for contacting Microsoft. A member of the team will be in touch soon.

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Gordon Ross [mailto:Gordon.Ross at nexenta.com]
Sent: Thursday, December 06, 2012 2:10 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org
Subject: Questions about "Unsecure Join" (old-style join domain)

Hi Dochelp staff,

I have questions about implementing "Unsecure Join" (a.k.a. old-style join domain) where one uses a pre-created computer account.
I've cc'ed the cifs-protocol list in case anyone there might know the answers I'm looking for.

I've searched msdn etc. and found a few pages describing the "Unsecure Join" method.  Here are some of them:

Automating the Domain Join [See the section on "Unsecure Join"] http://technet.microsoft.com/en-us/library/cc730845.aspx

NetJoinDomain function (Windows) [ See NETSETUP_JOIN_UNSECURE] http://msdn.microsoft.com/en-us/library/windows/desktop/aa370433.aspx

We would like to implement "Join using a pre-created computer account"
and I'm looking for more details about how this should work.

As I understand it, the "pre-created computer account" is one that has it's initial password set to the same string as the account name.
The first reference above seems to say that.  However, our test results suggest that this may not be the case.  (or not always?)

Also, on the AD server the MMC "User and Computers" tool offers an action to "reset the computer account".  I'd like to know what that action really does.  Does it set the machine account password back to the computer name?  (our tests indicate maybe not)

Is there a document describing the specific protocol actions we need to perform during an "unsecure join"?

Here's what we're doing now:

(a) get information about the domain from the LSA, via LsaQueryInfoPolicy  (which we do over NULL sessions).

(b) change the machine account password.  We currently use the SamrUnicodeChangePasswordUser2 RPC call [MS-SAMR] for that purpose.

Step (a) seems to work fine.  In order for step (b) to work, we need to know the password of the pre-created account.
Or is there some other trick for doing the password change?

Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc.  www.nexenta.com
Enterprise class storage for everyone
Microsoft is committed to protecting your privacy.  Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casemail at microsoft.com IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you.

More information about the cifs-protocol mailing list