I had a workstation afflicted with the issue described here:
Basically, in older versions of Windows on first login if an RWDC (Read/Write Domain Controller) is not able to be contacted then a local backup of the master key is made. Whereas in newer versions of Windows, apparently it will just fail to backup the master key (or something) and encryption will then not work.
We fixed it by performing the registry edit listed in the article, which is found in various places on the web as a fix to many of the symptoms of this problem.
What I wonder:
Why did this workstation have this problem? Its DC is both writable and available, but it would not correct the issue even after reboot/relogging-in.
What is the consequence of the registry edit? MS provides this ominous sounding warning:
Warning
Don't use this registry key if domain users log on to more than one computer! Because the keys are backed up locally, any non-local password change may trigger a situation in which all DPAPI master keys are wrapped using the old password, and then domain recovery is not possible. This registry key should be set only in an environment in which data loss is acceptable.
But it sounds like this used to be the default behaviour anyway?
What could I have done/do to correct this problem without the registry edit? The article says to put the PC in a location where there is an available RWDC, but it already should have been. I'm not sure if the DC was available on the very first Windows login as someone else installed Windows. But it would seem unlikely that an RWDC being unavailable one time would result in this issue being permanent. Maybe I should have rejoined the domain?
I guess another question would be: can I revert the registry edit or is the local master key backup permanent?
0 Answers