Machine Account Password Process

I don't understand your question, but let me be clear here:

• The password change process will attempt to be initiated by the scavenger process - but it will not be completed (nor will the PC’s local registry be updated with a new password), because the PC cannot see/find a DC.
• When those PCs come back to the office in xxx days (or get VPN connectivity or whatever), the scavenge thread of the local Netlogon process on the PC will wake up and attempt the domain password change process again (it’s been trying it while offline but failing to complete because it couldn’t reach a DC).
  • However, this time, since the PC will be able to find a DC, it will complete the local password change, the DC will update the pwd of the computer object in its copy of AD, then repl that out to other DCs, and all will be well.
  • This assumes:
    • The device is unable to communicate AT ALL with a DC while offline.
    • The device isn’t partially blocked/filtered in communicating to a DC once it gains corp-net connectivity (i.e. some ports are blocked via a firewall)
    • There aren’t any scripts running on-prem that delete/disable computer accts
    • AD replication is working

This is a very old article that I didn't write, so we are working to have an updated, clarified article published as soon as possible by the current owners of the AskDS blog.