Details on "Maximum machine account password age" are needed

[Guest]

Hi All,

I think a lot of people may benifit from the answers on the following
specific questions:

1. If we have "Maximum machine account password age" setting enabled, is the
password initiated on the client or on the Domain Controller side?
2. For the pre-created computer accounts. Can we fine tune the "Maximum
machine account password age" setting and let's say create an OU with the
pre-created computer accounts and significantly increase the value of the
"Maximum machine account password age" setting only for that OU. At the same
time the Domain Controllers will have the "Maximum machine account password
age" setting set to "30 days". And everybody will communicate just fine?
Reference:
"Some organizations prebuild computers and then store them for later use or
ship them to remote locations. If the computer’s account has expired, it will
no longer be able to authenticate with the domain. Computers that cannot
authenticate with the domain must be removed from the domain and rejoined to
it. For this reason, some organizations might want to create a special OU for
computers that are prebuilt and configure the value for this policy setting
to a larger number of days."
http://technet2.microsoft.com/WindowsServer/en/Library/6d1cf160-25c8-4b0f-90b5-428bf5c24eae1033.mspx
3. What should we anticipate if we don't implement any custom "Maximum
machine account password age" settings and the pre-created computer account
has been existing for 200+ days prior to physical computer has been joined to
the domain?
Environement: W2K3/XPSP2

Thank you,
Alex

 

[Richard Mueller]

Hi,

My understanding is that the password change request is initiated by the
client. The Domain Controller never initiates a password change. The default
for computers joined to an AD domain is every 30 days. If the machine is
disconnected from the domain, nothing happens to the computer account in AD.
The computer just requests a password change the next time it authenticates
to the domain.

Password/security settings generally apply to the domain only. The
documentation for this setting seems to indicate you can set a different
policy in different GPO's. I haven't tried. Hopefully, someone else knows if
this can be done.

 

[Jmnts]

Hi

For Windows 2000, Windows XP and Windows Server 2003, the default computer
account password change is 30 days.

To Disable Machine Passwords:

How to disable automatic machine account password changes (Win2000, WinNt)
http://support.microsoft.com/kb/154501/

To Disable on Microsoft Windows XP and 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;q175468


--
I Hop that helps

Best Regards
Systems Administrator
MCSA + Exchange

 

[Paul Williams [MVP]]

1. If we have "Maximum machine account password age" setting enabled, is

the

password initiated on the client or on the Domain Controller side?

Always on the client.

2. For the pre-created computer accounts. Can we fine tune the "Maximum
machine account password age" setting and let's say create an OU with the
pre-created computer accounts and significantly increase the value of the
"Maximum machine account password age" setting only for that OU. At the
same time the Domain Controllers will have the "Maximum machine account
password age" setting set to "30 days". And everybody will communicate
just fine?

Yes, but why? You must do this via GPO. The computer accounts must reside
in the OUs for this to apply.

3. What should we anticipate if we don't implement any custom "Maximum
machine account password age" settings and the pre-created computer
account has been existing for 200+ days prior to physical computer has
been joined to the domain?

Nothing. As far as I'm aware, when created, the password is set to <name>$.
The client will use this to start with too. The password will then be
changed and managed by the client as normal.

 

[Joe Richards [MVP]]

Computer accounts don't expire like user accounts. The client works out that the
password is older than it should be and initiates the change. If the password of
a computer is 1000 days old the computer can still authenticate assuming no one
screwed with the AD account.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Roger Abell [MVP]]

I take the passage you quoted ("Some organizations prebuild . . . ")
from the referenced doc to which you provided the link

to be in error and gibberish due to misunderstanding how things work.

Notice these two policies are now prefixed as Domain member policies:
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age

These govern whether, and if so the frequency at which computers
with that setting will (or not) attempt to change the passwords on
their domain (join) account. If you do not do this on time they will
try later, if they try and are refused by the domain controller (due to
policy: Domain controller: Refuse machine account password changes)
they will not change the password and continue using the prior.

Notice that this is all initiated by the machine whose password it is,
and the Domain member policies are settings for the timings of change
attempts, not password aging requirements enforced by the DCs.