Machine Account Password Age Best Practices

[Guest]

So I am sure that the answer is in here somewhere but I have been looking and
either don't know what I am looking for or it simply does not exist.

Questions: How does AD handle Machine Account Passwords? For example, how
often does a machine check in and reset it's password? Does AD auto disable
stale accounts? If so, how long does that take?
Also, I have users over VPN. Their machines may not connect directly to our
network for quite some time. does the machine ever reset it's password this
way?

Basically, what does M$ say is the best practice for disabling and
eventually deleting stale machine accounts? I need documentation which states
this. We want to implement a procedure to automate the cleanup but do not
want to make assumptions.

Thanks!

 

[Cary Shultz [A.D. MVP]]

Take a look at Joe's web site. He has a fantastic tool called oldcmp that
will do what you want. His website is http://www.joeware.net. Hey, I hope
that I spelled everything correctly. I usually misspell either oldcmp or
joeware for some reason....

In WINNT 4.0 the computer account would reset ( although that is not the
correct term... ) the secret password every seven days. That was the old
way. In WIN2000 the computer accounts establish a secure channel with a
Domain Controller ( via the NETLOGON ) and change their password every 60
days. So, using Joe's tool you could check your environment for old
computer account objects that are 90 days old ( the default - meaning that
they have not changed their password ). I usually check for 65 days!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Joe Richards [MVP]]

Good job. All spelling is correct. )

There is one thing that is off though... Windows 2000 and better machines by
default change the machine account password every 30 days.

Keep in mind computers don't have to change the password. The domain doesn't
force them. This can come into play with VPN clients or machines that have had
the registry modified to change how often they change passwords and also NAS
devices and SAMBA machines. Always get a report and verify what you are going to
disable prior to disabling them.

joe

 

[Cary Shultz [A.D. MVP]]

You are correct! Can not believe that I wrote 60 days....how many times
have I written 30 days? And I usually change your default to 45 days, not
65 days! Man, what was going on? Must have been thinking about dinner!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[ptwilliams]

How many dinners? 6?

;-)

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


You are correct! Can not believe that I wrote 60 days....how many times
have I written 30 days? And I usually change your default to 45 days, not
65 days! Man, what was going on? Must have been thinking about dinner!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Cary Shultz [A.D. MVP]]

No, only four!

You know, dinner! Then second dinner. Then there is a break. Then we have
a snack. Then we have second snack!

That about does it.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com