Re: Maximum machine account password age

I believe you have gotten responses to this in other groups but

1. Client
2. No reason to. Clients initiate password changes.
3. Nothing extraordinary

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Alex wrote:
I have the following questions related to that topic:

1. If we have "Maximum machine account password age" setting enabled, is the password initiated on the client or on the Domain Controller side?
2. For the pre-created computer accounts. Can we fine tune the "Maximum machine account password age" setting and let's say create an OU with the pre-created computer accounts and significantly increase the value of the "Maximum machine account password age" setting only for that OU. At the same time the Domain Controllers will have the "Maximum machine account password age" setting set to "30 days". And everybody will communicate just fine?
Reference:
"Some organizations prebuild computers and then store them for later use or ship them to remote locations. If the computer’s account has expired, it will no longer be able to authenticate with the domain. Computers that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special OU for computers that are prebuilt and configure the value for this policy setting to a larger number of days." http://technet2.microsoft.com/WindowsServer/en/Library/6d1cf160-25c8-4b0f-90b5-428bf5c24eae1033.mspx
3. What should we anticipate if we don't implement any custom "Maximum machine account password age" settings and the pre-created computer account has been existing for 60+ days prior to physical computer has been joined to the domain?
Environement: W2K3/XPSP2

Thank you,
Alex

"Joe Richards [MVP]" wrote:

Could be semantics but computer accounts don't expire.

A computer "chooses" when it wants to change its password based on registry entries on the computer itself. The DC never forces it. I run into this on a regular basis with customers using my oldcmp tool because they are confused when it disables a machine that has a password of hundreds or thousands of days old that was working fine until it got disabled.

What can happen is if you allow a computer to change its password a couple of times to get past some helper functionality MS put around this and then discard that info from one side or the other and the computer won't be able to logon. That is because it thinks its password is one thing and the DC thinks it is another.

There are multiple reasons why a computer will not choose to change its password, the common ones are that the registry entry (which is modified by the Group policy assuming that works properly) is set to not change the password or not change it as frequently or some VPN software which will outright disable that functionality or the connectivity isn't there when the machine wants to change the password.




--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
.