how to share the same domain machine account with multi-boot workgroup Windows setup?

Question

Having read in http://support.microsoft.com/kb/154501/EN-US/ (How to disable automatic machine account password changes):

"You have two separate installations of Windows NT or Windows 2000 on the same computer in a dual-boot configuration. In this case, the only way to share the same machine account between the two installations of Windows NT or Windows 2000 is to use the default machine account password that is created when you join the domain"

I have the following questions:

What is the process of sharing "the same machine account between the two installations of Windows"?
If to share account then why it cannot change password from non-default to a "normal" (automatically changed) one?

I am developer using on the same dual-bot Windows: one AD joined computer Windows (under domain user account) and another is workgroup (i.e. non-joined to domain) Windows.

It is XOR-ed, either one or another (of course) what is inconvenience. Is it possible to share AD machine account from workgroup Windows session?

Everybody tells that it is impossible> But why? Having read http://blogs.msdn.com/aaron_margosis/archive/2009/11/05/machine-sids-and-domain-sids.aspx (Machine SIDs and Domain SIDs) and other similar topics in this field, I cannot understand why it is impossible?

Did you take the time to read the whole kb article? Both of your questions are answered there. — Zoredache, Aug 10 '10 at 18:51
See Update1. Besides, even in original post I asked about others' experience feedback — Gennady Vanin Геннадий Ванин, Aug 11 '10 at 07:23
As a programmer you should know the difference between OR and XOR. Your setup is OR, not XOR. Now, what is your question? — John Gardeniers, Aug 11 '10 at 09:15
XOR simply means that if both do not run - FALSE in running, if both run - FALSE in running. That is, only one of two is TRUE context under consideration. This is because I tried to ask this in another forum and all discussion ended up in dozens of posts telling me that one cannot simultaneously run both... — Gennady Vanin Геннадий Ванин, Aug 11 '10 at 09:57
perhaps you can explain to us dumb sysadmins how you managed to get more than one instance running concurrently on a multi-boot machine. We can only run one at a time and need to reboot to get a different one running. — John Gardeniers, Aug 16 '10 at 21:59

score 0 · Answer 1 · answered Aug 15 '10 at 12:47

0

First question is answered in the article you linked to. About the second question, if machine A changes the password won't machine B have the wrong password?

Also, what is the motivation for this setup? It seems non-standard and contrived. Why does it even matter what machine account the workgroup instance uses?

answered Aug 15 '10 at 12:47

Oskar Duveborn

10,740
3
32
48

So, what was answered in the article? In parallel discussions, I was answered that workgroup Windows Administrators group cannot have "Domain Admins" while it is being pushed from DC on domained Windows client, etc., etc.. Also) Have you tried to develop om machine where you have no administration rights (even to update incorrect system time)? – Gennady Vanin Геннадий Ванин Aug 25 '10 at 23:47
1

I always develop on machines without administration rights. The time shouldn't be corrected locally, if it's wrong - you need to fix the root problem with syncing the time - not fiddling with it locally (in a managed situation). – Oskar Duveborn Aug 26 '10 at 08:47

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

As I understood from parallel discussions in SF, workgroup Windows Administrators group cannot have "Domain Admins" while the latter is being pushed from DC on domained Windows client Administrators group (by default GPO), etc., etc..

So, this is generally not viable.
My question

the context of local user of AD-joined machine? Is it of domain machine account or of local machine account?

is also pending. What is being changed in local Administrators group by joining a machine to domain.

score -1 · Answer 3 · answered Oct 02 '10 at 17:29

-1

It is possible.

To do it, install once, join domain, and clone installation.

answered Oct 02 '10 at 17:29

joshudson

403
4
10

-1 As soon as one "machine" changes it's account's password, the other "machine" will have the wrong password. – Chris S Dec 08 '10 at 16:29
FYI, learned since I wrote this Chris S is right, but the change password behavior can be disabled. – joshudson Dec 09 '10 at 22:03

how to share the same domain machine account with multi-boot workgroup Windows setup?

3 Answers3

Linked