Machine Account Password Changes - What Triggers Them? How to Vali

[Matt]

Can you explain to me a few things about machine account password changes.
This is a single forest AD Windows Server 2003 forest, running forest
functional level.

The default settings for machine related password changes apply.

- Domain member: Maximum machine account password: 30 days
- Domain member: Disable machine account password changes: Disable

Do you know what triggers a machine account password to change? Would it be
a Group Policy Update (60 minute background refresh)? Or would it be a
machine restart? I need something definite and I am not able to find it
documented.

When a machine account password does change, how do you validate that a
machine account password change occurred? Event ID on DC? Machine Account
Object Gets Modified in AD?

The reason I ask is because we want to run a machine account cleanup script
http://www.rlmueller.net/MoveOldComputers.htm which checks the PwdLastSet
atribute. However, we want to know what triggers the machine account password
to be reset because there are alot of machines that may not have users logged
on for a long period of time. We therefore want to ensure that we dont cause
a big management nightmare by setting the password change time interval on
the script too low.

Thanks for your input.

 

[USN9AWM]

Can you explain to me a few things about machine account password changes..
This is a single forest AD Windows Server 2003 forest, running forest
functional level.

The default settings for machine related password changes apply.

- Domain member: Maximum machine account password: 30 days
- Domain member: Disable machine account password changes: Disable

Do you know what triggers a machine account password to change? Would it be
a Group Policy Update (60 minute background refresh)? Or would it be a
machine restart? I need something definite and I am not able to find it
documented.

When a machine account password does change, how do you validate that a
machine account password change occurred?  Event ID on DC? Machine Account
Object Gets Modified in AD?

The reason I ask is because we want to run a machine account cleanup scripthttp://www.rlmueller.net/MoveOldComputers.htmwhich checks the PwdLastSet
atribute. However, we want to know what triggers the machine account password
to be reset because there are alot of machines that may not have users logged
on for a long period of time. We therefore want to ensure that we dont cause
a big management nightmare by setting the password change time interval on
the script too low.

Thanks for your input.

I believe that it is done via the GPO refresh policy.
If you are using the default of 30 days, set your script to 60.