Re: Maximum machine account password age

I have the following questions related to that topic:

1. If we have "Maximum machine account password age" setting enabled, is the
password initiated on the client or on the Domain Controller side?
2. For the pre-created computer accounts. Can we fine tune the "Maximum
machine account password age" setting and let's say create an OU with the
pre-created computer accounts and significantly increase the value of the
"Maximum machine account password age" setting only for that OU. At the same
time the Domain Controllers will have the "Maximum machine account password
age" setting set to "30 days". And everybody will communicate just fine?
Reference:
"Some organizations prebuild computers and then store them for later use or
ship them to remote locations. If the computer’s account has expired, it will
no longer be able to authenticate with the domain. Computers that cannot
authenticate with the domain must be removed from the domain and rejoined to
it. For this reason, some organizations might want to create a special OU for
computers that are prebuilt and configure the value for this policy setting
to a larger number of days."
http://technet2.microsoft.com/WindowsServer/en/Library/6d1cf160-25c8-4b0f-90b5-428bf5c24eae1033.mspx
3. What should we anticipate if we don't implement any custom "Maximum
machine account password age" settings and the pre-created computer account
has been existing for 60+ days prior to physical computer has been joined to
the domain?
Environement: W2K3/XPSP2

Thank you,
Alex

"Joe Richards [MVP]" wrote:

Could be semantics but computer accounts don't expire.

A computer "chooses" when it wants to change its password based on registry
entries on the computer itself. The DC never forces it. I run into this on a
regular basis with customers using my oldcmp tool because they are confused when
it disables a machine that has a password of hundreds or thousands of days old
that was working fine until it got disabled.

What can happen is if you allow a computer to change its password a couple of
times to get past some helper functionality MS put around this and then discard
that info from one side or the other and the computer won't be able to logon.
That is because it thinks its password is one thing and the DC thinks it is
another.

There are multiple reasons why a computer will not choose to change its
password, the common ones are that the registry entry (which is modified by the
Group policy assuming that works properly) is set to not change the password or
not change it as frequently or some VPN software which will outright disable
that functionality or the connectivity isn't there when the machine wants to
change the password.




--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
.