Sign in with
Sign up | Sign in
Your question

Machine Account Password Age Best Practices

Last response: in Windows 2000/NT
Share
Anonymous
January 18, 2005 3:31:04 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

So I am sure that the answer is in here somewhere but I have been looking and
either don't know what I am looking for or it simply does not exist.

Questions: How does AD handle Machine Account Passwords? For example, how
often does a machine check in and reset it's password? Does AD auto disable
stale accounts? If so, how long does that take?
Also, I have users over VPN. Their machines may not connect directly to our
network for quite some time. does the machine ever reset it's password this
way?

Basically, what does M$ say is the best practice for disabling and
eventually deleting stale machine accounts? I need documentation which states
this. We want to implement a procedure to automate the cleanup but do not
want to make assumptions.

Thanks!
Anonymous
January 18, 2005 9:14:27 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Take a look at Joe's web site. He has a fantastic tool called oldcmp that
will do what you want. His website is http://www.joeware.net. Hey, I hope
that I spelled everything correctly. I usually misspell either oldcmp or
joeware for some reason....

In WINNT 4.0 the computer account would reset ( although that is not the
correct term... ) the secret password every seven days. That was the old
way. In WIN2000 the computer accounts establish a secure channel with a
Domain Controller ( via the NETLOGON ) and change their password every 60
days. So, using Joe's tool you could check your environment for old
computer account objects that are 90 days old ( the default - meaning that
they have not changed their password ). I usually check for 65 days!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Adam Gross" <Adam Gross@discussions.microsoft.com> wrote in message
news:7860DAD7-DA6A-4606-B8AF-428B559328BE@microsoft.com...
> So I am sure that the answer is in here somewhere but I have been looking
> and
> either don't know what I am looking for or it simply does not exist.
>
> Questions: How does AD handle Machine Account Passwords? For example, how
> often does a machine check in and reset it's password? Does AD auto
> disable
> stale accounts? If so, how long does that take?
> Also, I have users over VPN. Their machines may not connect directly to
> our
> network for quite some time. does the machine ever reset it's password
> this
> way?
>
> Basically, what does M$ say is the best practice for disabling and
> eventually deleting stale machine accounts? I need documentation which
> states
> this. We want to implement a procedure to automate the cleanup but do not
> want to make assumptions.
>
> Thanks!
>
Anonymous
January 20, 2005 2:54:27 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Good job. All spelling is correct. :o )

There is one thing that is off though... Windows 2000 and better machines by
default change the machine account password every 30 days.

Keep in mind computers don't have to change the password. The domain doesn't
force them. This can come into play with VPN clients or machines that have had
the registry modified to change how often they change passwords and also NAS
devices and SAMBA machines. Always get a report and verify what you are going to
disable prior to disabling them.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Cary Shultz [A.D. MVP] wrote:
> Take a look at Joe's web site. He has a fantastic tool called oldcmp that
> will do what you want. His website is http://www.joeware.net. Hey, I hope
> that I spelled everything correctly. I usually misspell either oldcmp or
> joeware for some reason....
>
> In WINNT 4.0 the computer account would reset ( although that is not the
> correct term... ) the secret password every seven days. That was the old
> way. In WIN2000 the computer accounts establish a secure channel with a
> Domain Controller ( via the NETLOGON ) and change their password every 60
> days. So, using Joe's tool you could check your environment for old
> computer account objects that are 90 days old ( the default - meaning that
> they have not changed their password ). I usually check for 65 days!
>
Related resources
Anonymous
January 20, 2005 4:00:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You are correct! Can not believe that I wrote 60 days....how many times
have I written 30 days? And I usually change your default to 45 days, not
65 days! Man, what was going on? Must have been thinking about dinner!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ew3gfwq$EHA.1908@TK2MSFTNGP15.phx.gbl...
> Good job. All spelling is correct. :o )
>
> There is one thing that is off though... Windows 2000 and better machines
> by default change the machine account password every 30 days.
>
> Keep in mind computers don't have to change the password. The domain
> doesn't force them. This can come into play with VPN clients or machines
> that have had the registry modified to change how often they change
> passwords and also NAS devices and SAMBA machines. Always get a report and
> verify what you are going to disable prior to disabling them.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Cary Shultz [A.D. MVP] wrote:
>> Take a look at Joe's web site. He has a fantastic tool called oldcmp
>> that will do what you want. His website is http://www.joeware.net. Hey,
>> I hope that I spelled everything correctly. I usually misspell either
>> oldcmp or joeware for some reason....
>>
>> In WINNT 4.0 the computer account would reset ( although that is not the
>> correct term... ) the secret password every seven days. That was the old
>> way. In WIN2000 the computer accounts establish a secure channel with a
>> Domain Controller ( via the NETLOGON ) and change their password every 60
>> days. So, using Joe's tool you could check your environment for old
>> computer account objects that are 90 days old ( the default - meaning
>> that they have not changed their password ). I usually check for 65
>> days!
>>
Anonymous
January 20, 2005 11:44:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

How many dinners? 6?

;-)

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:uKezrVr$EHA.2880@TK2MSFTNGP14.phx.gbl...
You are correct! Can not believe that I wrote 60 days....how many times
have I written 30 days? And I usually change your default to 45 days, not
65 days! Man, what was going on? Must have been thinking about dinner!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ew3gfwq$EHA.1908@TK2MSFTNGP15.phx.gbl...
> Good job. All spelling is correct. :o )
>
> There is one thing that is off though... Windows 2000 and better machines
> by default change the machine account password every 30 days.
>
> Keep in mind computers don't have to change the password. The domain
> doesn't force them. This can come into play with VPN clients or machines
> that have had the registry modified to change how often they change
> passwords and also NAS devices and SAMBA machines. Always get a report and
> verify what you are going to disable prior to disabling them.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Cary Shultz [A.D. MVP] wrote:
>> Take a look at Joe's web site. He has a fantastic tool called oldcmp
>> that will do what you want. His website is http://www.joeware.net. Hey,
>> I hope that I spelled everything correctly. I usually misspell either
>> oldcmp or joeware for some reason....
>>
>> In WINNT 4.0 the computer account would reset ( although that is not the
>> correct term... ) the secret password every seven days. That was the old
>> way. In WIN2000 the computer accounts establish a secure channel with a
>> Domain Controller ( via the NETLOGON ) and change their password every 60
>> days. So, using Joe's tool you could check your environment for old
>> computer account objects that are 90 days old ( the default - meaning
>> that they have not changed their password ). I usually check for 65
>> days!
>>
Anonymous
January 20, 2005 11:44:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

No, only four!

You know, dinner! Then second dinner. Then there is a break. Then we have
a snack. Then we have second snack!

That about does it.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:efIy0ws$EHA.2880@TK2MSFTNGP14.phx.gbl...
> How many dinners? 6?
>
> ;-)
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:uKezrVr$EHA.2880@TK2MSFTNGP14.phx.gbl...
> You are correct! Can not believe that I wrote 60 days....how many times
> have I written 30 days? And I usually change your default to 45 days, not
> 65 days! Man, what was going on? Must have been thinking about dinner!
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:ew3gfwq$EHA.1908@TK2MSFTNGP15.phx.gbl...
>> Good job. All spelling is correct. :o )
>>
>> There is one thing that is off though... Windows 2000 and better machines
>> by default change the machine account password every 30 days.
>>
>> Keep in mind computers don't have to change the password. The domain
>> doesn't force them. This can come into play with VPN clients or machines
>> that have had the registry modified to change how often they change
>> passwords and also NAS devices and SAMBA machines. Always get a report
>> and
>> verify what you are going to disable prior to disabling them.
>>
>> joe
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Cary Shultz [A.D. MVP] wrote:
>>> Take a look at Joe's web site. He has a fantastic tool called oldcmp
>>> that will do what you want. His website is http://www.joeware.net.
>>> Hey,
>>> I hope that I spelled everything correctly. I usually misspell either
>>> oldcmp or joeware for some reason....
>>>
>>> In WINNT 4.0 the computer account would reset ( although that is not the
>>> correct term... ) the secret password every seven days. That was the
>>> old
>>> way. In WIN2000 the computer accounts establish a secure channel with a
>>> Domain Controller ( via the NETLOGON ) and change their password every
>>> 60
>>> days. So, using Joe's tool you could check your environment for old
>>> computer account objects that are 90 days old ( the default - meaning
>>> that they have not changed their password ). I usually check for 65
>>> days!
>>>
>
>
>
!