none
Implications of changing "Maximum machine account password age" policy

    Question

  • Hello.

    I have written a PowerShell script that will disable and delete old computers from Active Directory. The script uses the time period since the machine password was last changed. To get a more accurate result i am considering changing the Maximum machine account password age policy.

    I have one question. If I change the policy from the default of 30 day to say 5. If a computer is turned off for 6 weeks and then is turned on will that machine loose the trust with the domain please?

    All clients on the domain are running Windows 7 with Server 2008 R2.

    Many Thanks

    Monday, March 05, 2012 1:05 PM

All replies

  • If a computer is turned off for 6 weeks when it turns on again it will automatically renew its password. The most notable implication of changing the policy is increased AD traffic as computer will update their passwords 6 times as much. Depending on the scale of your organization this might require an update in your AD infrastructure. But in general I would say this should not have a significant impact your environment.

    "So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time."

     Source: Machine Account Password Process 

    The link above describes the whole process in case you are interested.

    Monday, March 05, 2012 1:45 PM
  • If a computer is turned off for 6 weeks when it turns on again it will automatically renew its password. The most notable implication of changing the policy is increased AD traffic as computer will update their passwords 6 times as much. Depending on the scale of your organization this might require an update in your AD infrastructure. But in general I would say this should not have a significant impact your environment.

    "So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time."

     Source: Machine Account Password Process 

    The link above describes the whole process in case you are interested.

    Thanks

    Its only a small deployment, less than 1,000 machines on one site. The setup is a good spec so it wont be a major issue. My last place had 50,000 machines across Australia so i can appreciate you concerns.

    I was under the impression after a certain number of password changes should have taken place that the trust would be lost. But i must be wrong :-)

    Are there any implications if the computer is being used off the domain for a period of time. Say if a laptop is being used at users home offline for 6 weeks?

    If i decrease this to 5 days is it likely to make my machines boot noticeably slower when they have been shutdown for longer than 5 days please?

    Thanks for your input.




    • Edited by FNGM Monday, March 05, 2012 2:01 PM
    Monday, March 05, 2012 1:54 PM
  • For computer that are used remotely this can have consequences depending on how your VPN is setup. But since you have it setup on 30 days now I would imagine that there have been users that had their machine accounts expire while not coming into the office. Boot should not be slowed noticeably.

    Regarding VPN and expired Machine passwords:

    • If a laptop with a machine account password older than MaximumPasswordAge is connected to a VPN through which it can contact a DC for its domain
      • Then that machine’s account password will be changed as long as the workstation scavenger thread has a chance to run (i.e. if the laptop remains connected to the VPN for at least ScavengeInterval minutes, the password will be changed).
    • The age of a machine account password must reach expiry in order for the machine account to be considered stale, it is very dependent on the environment.

    Source: Password Age for Machine Accounts do not expire

    Monday, March 05, 2012 2:22 PM
  • Thanks, We dont use VPN we use RDS for remote access. 

    I am thinking if i decrease the expiry on desktops onlyi should be ok. Laptops are exempt from my script anyway so i should be ok.

    Thanks

    Monday, March 05, 2012 2:32 PM
  • Excellent so does that answer your question or do you require more information?
    Monday, March 05, 2012 2:37 PM
  • With a short time frame like that you will see this error message popping up for sure "the trust relationship between this workstation and the primary domain failed".

    In which case you will have to join the computer to workgroup and join it back to domain.

    This could lead to increase of number of calls to the helpdesk/desk side support.

    If you don't have a local admin password that enables you to login to this computers then you looking into re-imaging.

    • Marked as answer by FNGM Monday, March 05, 2012 4:41 PM
    • Unmarked as answer by FNGM Monday, March 05, 2012 4:41 PM
    Monday, March 05, 2012 3:09 PM
  • With a short time frame like that you will see this error message popping up for sure "the trust relationship between this workstation and the primary domain failed".

    In which case you will have to join the computer to workgroup and join it back to domain.

    This could lead to increase of number of calls to the helpdesk/desk side support.

    If you don't have a local admin password that enables you to login to this computers then you looking into re-imaging.

    That contradicts what Jaap says. From what i understand he says when the machine boots it will just sort the password out and the end user wont notice a difference.

    Im kind of confused now.

    Monday, March 05, 2012 4:43 PM
  • This is based on my experience only.
    Lowering that value to 5 days will come probably with a price.
    My advice is take it very slow and deploy it to limited group of computers only for a while until you are sure it works the why you expect.

    In most enviroments they won't let you even disable or delete computer account unless they are inactive for 90 days. (have not changed password for 90 days)

    In my opinion you are not getting much by going down to 5 days the risk doesn’t outweigh the benefits but the decision is yours.

    Monday, March 05, 2012 4:57 PM
  • Unless there is an another underlying condition the trust relationship should not fail. Changing machine password is something that happens regularly in every domain and should never fail as drastically as Brano describes it. As you have read in the post from the Directory Services team.

    What I would like to know, why are you changing the machine password policy?

    Monday, March 05, 2012 4:59 PM
  • I do agree with you Jaap that it should work but the question is why risking if you are not gaining much.
    All you need to do is to break one of the machines of high executives and you are out of the door.
    What I said is if you want do it take a slow phased approach because if something goes wrong you don’t want to impact entire environment.

    Monday, March 05, 2012 5:37 PM
  • The idea is to disable inactive computers after 60 days and then delete them 30 days from the disable time. I thought if i reduce the time frame i would get more accurate results.

    Thanks to all those who replied.

    Monday, March 05, 2012 6:25 PM
  • If you want to disable inactive computers then you should just look at the lastLogontimestamp attribute of the computer object. You can find more information about this subject and the difference between the lastLogon,lastLogonTimestamp attributes in this blog post:

    “The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”

    Based on the reasoning you gave us I would recommend against changing the machine password policy, it is unnecessary to be able to do what you want.

    Tuesday, March 06, 2012 8:37 AM
  • This is based on my experience only.
    Lowering that value to 5 days will come probably with a price.
    My advice is take it very slow and deploy it to limited group of computers only for a while until you are sure it works the why you expect.

    In most enviroments they won't let you even disable or delete computer account unless they are inactive for 90 days. (have not changed password for 90 days)

    In my opinion you are not getting much by going down to 5 days the risk doesn’t outweigh the benefits but the decision is yours.

    When you say based on your experience...

    Did you experience trust issues only after playing that the password length, bringing it down from the default?  Do you have technical reference to why it occurred to you, or is it only based on observations?

    Thursday, March 08, 2012 6:18 PM
  • This is my observation only based on what i have seen in the environment that i have supported. This may or may not be the case in other environments.
    Thursday, March 08, 2012 8:14 PM