Monday, January 12, 2015

RDS 2012 Pooled VDI Machine Account Password Change

Coming into work late last week, I was greeted by a nice surprise: about a dozen pooled VDI had fallen out of the domain and users were receiving trust relationship errors when trying to log in. How about spending half your morning removing and rejoining VDI to the domain?

Every computer account in Active Directory has a password, the same as user accounts have passwords. Typically these machine account passwords are handled automatically in the background, as a function of the domain and the client operating system. However in the case of pooled VDI, which are clones built from a master template, the RD connection brokers handle updating the machine account password for pooled VDI.

By default, the RD connection broker will update the pooled VDI's machine account password every 31 days. This value is not customizable when creating VDI's pools through Server Manager. But you can change the value with PowerShell. In order to create a new pooled VDI collection, you use the New-RDVirtualDesktopCollection cmdlet and the VirtualDesktopPasswordAge parameter. See below for an example:
New-RDVirtualDesktopCollection -CollectionName "VDIPool" -PooledManaged -VirtualDesktopTemplateName "VDITemplate" -VirtualDesktopTemplateHostServer "" -VirtualDesktopAllocation @{""=1} -StorageType LocalStorage -UserGroups "contoso\domain users" -ConnectionBroker "" -VirtualDesktopNamePrefix "PVM" -VirtualDesktopPasswordAge 31
It's worth mentioning that 31 days is the default value for the VirtualDesktopPasswordAge parameter, and it's also the minimum value you can set. If you try to set a value lower than 31, PowerShell will throw a validation error.

Validation error on New-RDVirtualDesktopCollection cmdlet

This was a problem for us because our IT Security team had setup Group Policy to set the maximum machine account password age to be 30 days. So our VDI were hitting this limit, and the trust relationship between the VDI and domain were breaking a mere day before the RD connection brokers would have updated the password. I tried creating a test pool with a lower password age, such as 7 days, when I discovered the 31 day minimum.

Maximum machine account password age GPO setting

I hope this helps other to be careful when changing the default maximum machine password age in your domain. If can easily cause problems if you set the value too low, especially in RDS VDI where the value cannot be lowered.

1 comment:

  1. Hi Tom, regarding "RD connection brokers handle updating the machine account password for pooled VDI", this is not correct. Netlogon service at VM handles machine password change. When the collection is created, VMHostAgent sets the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge during VM's startup. The value on it will be:

    120, if the collection is created through Server Manager.
    Any other custom value specified on -VirtualDesktopPasswordAge parameter when you either create or update collection through powershell.