computer account passwords resets

[Joe Murphy]

I understand now that computer accounts in AD reset their passwords by
default every seven days and that I can make a determination that accounts
whose password reset is in excess of "x" number of days are stale so I can
delete them.

What is the mechanism that computer accounts use for resetting these
passwords?

Also, I have a number of remote systems in my organization that do not
validate against AD on a regular basis. They connect via a third-party VPN
solution (or sometimes RRAS). What about these systems? Are their computer
account passwords getting changed?

I'd hate to disable a remote user's computer account mistakenly and create
headaches for my help desk.

Thanks,
JM

 

[ptwilliams]

I believe when a client comes online and it's password has expired the
authenticating DC logs a netlogon error saying that the computer account
compname$ couldn't logon or validate its password, and then resets the
secure channel password. You'll see these errors periodically when your
remote users don't come into the office often. I don't think there's
anything to worry about.

I'm not sure of the exact mechanism used, but believe that the clients talk
to a DC using a secure channel (hence the need for a password) and that the
clients initiate the password change. Like most Windows protocols, the
clients do the leg work. I assume it works in a similar fashion to that of
the client DNS resolver and the DDNS server.


Paul.
__________________________

 

[Joe Murphy]

Thanks PT.

So all of the computer accounts that I have in AD whose passwords have not
changed in several days/weeks/months could be safely disabled, you think?

No liability on your part.

 

[Guest]

Well, I wouldn't disable these no. Perhaps, if a machine hasn't reset it's password in over a month, it might be safe to assume that machines account no longer exists, but I wouldn't do this if a machine didn't reset after a couple of days.

Is your reason, to clean up the directory, or are you looking at this from another angle?



Paul.
_______________________________

 

[Joe Murphy]

Just cleaning up the directory.

Take a look at this account I found using oldcmp.exe

cn eude3www7oj
sAMAccountName eude3www7oj$
NSHostName eude3www7oj.mycorp.com
pwdLastSet 2001/11/06-13:47:10
pwage 947
whenCreated 20011106174547.0Z
accountExpires 0000/00/00-00:00:00
userAccountControl (4098) MBR DISABLED

Could this computer theoritically still be out there "in the wild", so to
speak, even though the pwage is 947 days. This machine has certainly
connected to the domain during that period.

Well, I wouldn't disable these no. Perhaps, if a machine hasn't reset

it's password in over a month, it might be safe to assume that machines
account no longer exists, but I wouldn't do this if a machine didn't reset
after a couple of days.

 

[ptwilliams]

Is it possible that this machine was reimaged but given the same name?

Looking at what you're showing me, and based on info. I've read pertaining
to replicated and non-replicated attributes, it would seem that this account
no longer exists; and can probably be safely deleted...

What's this oldcmp.exe anyhow??


Paul.
__________________________

 

[Cary Shultz [A.D. MVP]]

Paul,

You really should go to Joe's site ( http://www.joeware.net ) and take a
look at all of the free WIN32 tools that he has. oldcmp is a tool that
looks at the computer password age ( you know...all that netlogon stuff! )
and can tell you the last time that the computer changed it's 'secret
password'. It is set to default to 90 days but you can specify a different
time frame ( like 45 days or 60 days, for example ). It gives you a lot of
information...It is a really great tool!

Cary

 

[ptwilliams]

Thanks Cary, I'll do that!

And I've also just gleaned a little info. from you! 90 days for the Secure
Channel password, eh? Interesting, recently I'd had 7 days stuck in my head
and I didn't know where that number came from -it didn't seem long enough!!

 

[Cary Shultz [A.D. MVP]]

Paul,

Actually in the 'olden' days of WINNT 4.0 the computer accounts changed
their 'secret password' every seven days. This is probably where you have
the seven days in your head. In WIN2000 this has been changed to every 30
days.

Joe set it up to default to 90 days just to be on the super safe side. He
has built a lot of added security into this tool. For example, you have to
first disable the computer account objects before you can delete them. Not
technically necessary but a really smart way to avoid someone from
accidentally deleting all of the computer account objects. See, with this
you need to first disable them and then delete them. That would be a
two-step, very specific process. Thus, it can not 'accidentally' happen.
And when you really want to disable something or delete something you have
to add the /forreal switch ( as well as another one ) at the end of the
command line. So, you can not really 'accidentally' do anything at all with
this tool. Joe explains it quite well.

I install this in every environment that I manage. It really saves a lot of
time and keeps things nice and clean.

Cary

 

[ptwilliams]

Interesting...thanks very much ;-)

I'll definitely look into the tools on Joe's site