Machine Account Password Age Best Practices

Archived from groups: microsoft.public.win2000.active_directory (More info?)

So I am sure that the answer is in here somewhere but I have been looking and
either don't know what I am looking for or it simply does not exist.

Questions: How does AD handle Machine Account Passwords? For example, how
often does a machine check in and reset it's password? Does AD auto disable
stale accounts? If so, how long does that take?
Also, I have users over VPN. Their machines may not connect directly to our
network for quite some time. does the machine ever reset it's password this
way?

Basically, what does M$ say is the best practice for disabling and
eventually deleting stale machine accounts? I need documentation which states
this. We want to implement a procedure to automate the cleanup but do not
want to make assumptions.

Thanks!
5 answers Last reply
More about machine account password practices
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Take a look at Joe's web site. He has a fantastic tool called oldcmp that
    will do what you want. His website is http://www.joeware.net. Hey, I hope
    that I spelled everything correctly. I usually misspell either oldcmp or
    joeware for some reason....

    In WINNT 4.0 the computer account would reset ( although that is not the
    correct term... ) the secret password every seven days. That was the old
    way. In WIN2000 the computer accounts establish a secure channel with a
    Domain Controller ( via the NETLOGON ) and change their password every 60
    days. So, using Joe's tool you could check your environment for old
    computer account objects that are 90 days old ( the default - meaning that
    they have not changed their password ). I usually check for 65 days!

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Adam Gross" <Adam Gross@discussions.microsoft.com> wrote in message
    news:7860DAD7-DA6A-4606-B8AF-428B559328BE@microsoft.com...
    > So I am sure that the answer is in here somewhere but I have been looking
    > and
    > either don't know what I am looking for or it simply does not exist.
    >
    > Questions: How does AD handle Machine Account Passwords? For example, how
    > often does a machine check in and reset it's password? Does AD auto
    > disable
    > stale accounts? If so, how long does that take?
    > Also, I have users over VPN. Their machines may not connect directly to
    > our
    > network for quite some time. does the machine ever reset it's password
    > this
    > way?
    >
    > Basically, what does M$ say is the best practice for disabling and
    > eventually deleting stale machine accounts? I need documentation which
    > states
    > this. We want to implement a procedure to automate the cleanup but do not
    > want to make assumptions.
    >
    > Thanks!
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Good job. All spelling is correct. :o)

    There is one thing that is off though... Windows 2000 and better machines by
    default change the machine account password every 30 days.

    Keep in mind computers don't have to change the password. The domain doesn't
    force them. This can come into play with VPN clients or machines that have had
    the registry modified to change how often they change passwords and also NAS
    devices and SAMBA machines. Always get a report and verify what you are going to
    disable prior to disabling them.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Cary Shultz [A.D. MVP] wrote:
    > Take a look at Joe's web site. He has a fantastic tool called oldcmp that
    > will do what you want. His website is http://www.joeware.net. Hey, I hope
    > that I spelled everything correctly. I usually misspell either oldcmp or
    > joeware for some reason....
    >
    > In WINNT 4.0 the computer account would reset ( although that is not the
    > correct term... ) the secret password every seven days. That was the old
    > way. In WIN2000 the computer accounts establish a secure channel with a
    > Domain Controller ( via the NETLOGON ) and change their password every 60
    > days. So, using Joe's tool you could check your environment for old
    > computer account objects that are 90 days old ( the default - meaning that
    > they have not changed their password ). I usually check for 65 days!
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You are correct! Can not believe that I wrote 60 days....how many times
    have I written 30 days? And I usually change your default to 45 days, not
    65 days! Man, what was going on? Must have been thinking about dinner!

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:ew3gfwq$EHA.1908@TK2MSFTNGP15.phx.gbl...
    > Good job. All spelling is correct. :o)
    >
    > There is one thing that is off though... Windows 2000 and better machines
    > by default change the machine account password every 30 days.
    >
    > Keep in mind computers don't have to change the password. The domain
    > doesn't force them. This can come into play with VPN clients or machines
    > that have had the registry modified to change how often they change
    > passwords and also NAS devices and SAMBA machines. Always get a report and
    > verify what you are going to disable prior to disabling them.
    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Cary Shultz [A.D. MVP] wrote:
    >> Take a look at Joe's web site. He has a fantastic tool called oldcmp
    >> that will do what you want. His website is http://www.joeware.net. Hey,
    >> I hope that I spelled everything correctly. I usually misspell either
    >> oldcmp or joeware for some reason....
    >>
    >> In WINNT 4.0 the computer account would reset ( although that is not the
    >> correct term... ) the secret password every seven days. That was the old
    >> way. In WIN2000 the computer accounts establish a secure channel with a
    >> Domain Controller ( via the NETLOGON ) and change their password every 60
    >> days. So, using Joe's tool you could check your environment for old
    >> computer account objects that are 90 days old ( the default - meaning
    >> that they have not changed their password ). I usually check for 65
    >> days!
    >>
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    How many dinners? 6?

    ;-)

    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:uKezrVr$EHA.2880@TK2MSFTNGP14.phx.gbl...
    You are correct! Can not believe that I wrote 60 days....how many times
    have I written 30 days? And I usually change your default to 45 days, not
    65 days! Man, what was going on? Must have been thinking about dinner!

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:ew3gfwq$EHA.1908@TK2MSFTNGP15.phx.gbl...
    > Good job. All spelling is correct. :o)
    >
    > There is one thing that is off though... Windows 2000 and better machines
    > by default change the machine account password every 30 days.
    >
    > Keep in mind computers don't have to change the password. The domain
    > doesn't force them. This can come into play with VPN clients or machines
    > that have had the registry modified to change how often they change
    > passwords and also NAS devices and SAMBA machines. Always get a report and
    > verify what you are going to disable prior to disabling them.
    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Cary Shultz [A.D. MVP] wrote:
    >> Take a look at Joe's web site. He has a fantastic tool called oldcmp
    >> that will do what you want. His website is http://www.joeware.net. Hey,
    >> I hope that I spelled everything correctly. I usually misspell either
    >> oldcmp or joeware for some reason....
    >>
    >> In WINNT 4.0 the computer account would reset ( although that is not the
    >> correct term... ) the secret password every seven days. That was the old
    >> way. In WIN2000 the computer accounts establish a secure channel with a
    >> Domain Controller ( via the NETLOGON ) and change their password every 60
    >> days. So, using Joe's tool you could check your environment for old
    >> computer account objects that are 90 days old ( the default - meaning
    >> that they have not changed their password ). I usually check for 65
    >> days!
    >>
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    No, only four!

    You know, dinner! Then second dinner. Then there is a break. Then we have
    a snack. Then we have second snack!

    That about does it.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:efIy0ws$EHA.2880@TK2MSFTNGP14.phx.gbl...
    > How many dinners? 6?
    >
    > ;-)
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:uKezrVr$EHA.2880@TK2MSFTNGP14.phx.gbl...
    > You are correct! Can not believe that I wrote 60 days....how many times
    > have I written 30 days? And I usually change your default to 45 days, not
    > 65 days! Man, what was going on? Must have been thinking about dinner!
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > news:ew3gfwq$EHA.1908@TK2MSFTNGP15.phx.gbl...
    >> Good job. All spelling is correct. :o)
    >>
    >> There is one thing that is off though... Windows 2000 and better machines
    >> by default change the machine account password every 30 days.
    >>
    >> Keep in mind computers don't have to change the password. The domain
    >> doesn't force them. This can come into play with VPN clients or machines
    >> that have had the registry modified to change how often they change
    >> passwords and also NAS devices and SAMBA machines. Always get a report
    >> and
    >> verify what you are going to disable prior to disabling them.
    >>
    >> joe
    >>
    >> --
    >> Joe Richards Microsoft MVP Windows Server Directory Services
    >> www.joeware.net
    >>
    >>
    >> Cary Shultz [A.D. MVP] wrote:
    >>> Take a look at Joe's web site. He has a fantastic tool called oldcmp
    >>> that will do what you want. His website is http://www.joeware.net.
    >>> Hey,
    >>> I hope that I spelled everything correctly. I usually misspell either
    >>> oldcmp or joeware for some reason....
    >>>
    >>> In WINNT 4.0 the computer account would reset ( although that is not the
    >>> correct term... ) the secret password every seven days. That was the
    >>> old
    >>> way. In WIN2000 the computer accounts establish a secure channel with a
    >>> Domain Controller ( via the NETLOGON ) and change their password every
    >>> 60
    >>> days. So, using Joe's tool you could check your environment for old
    >>> computer account objects that are 90 days old ( the default - meaning
    >>> that they have not changed their password ). I usually check for 65
    >>> days!
    >>>
    >
    >
    >
Ask a new question

Read More

Microsoft Active Directory Windows