none
What is computer account password?

    Question

  • What is AD computer/machine account password?
    How it is being used and stored?
    Is it used only by AD only? can it be used/changed by user interactively?

    • Edited by vgv8 Saturday, August 07, 2010 8:08 AM
    Saturday, August 07, 2010 7:04 AM

Answers

  • In message
    <868f2d03-ca41-4746-8b19-f2405cdd799f@communitybridge.codeplex.com> vgv8
    was claimed to have wrote:

    What is computer account password?

    It depends on the context, if you're talking about an Active Directory
    domain, each computer has it's own password which is randomly generated
    by the computer and changed automatically on a schedule.

    There is no way to know what the password is, or change it manually.

    However, this might not be what you're talking about...

    Is it built-in Administrator password which is blank by default?

    It could be -- What is the context?

    Saturday, August 07, 2010 8:07 AM
  • On Sat, 7 Aug 2010 08:12:06 +0000, vgv8 wrote:

    I understood that AD machine/computer account is used by AD.
    Though, as I understood, automatic changes can be disabled locally
    (through ?regedit).
    It does not seem logical to me - to be used centrally only but controlled locally...

    The owner of the account, be it a user account or a computer account, needs
    to change their password so the change is always initiated locally,
    therefore it is perfectly logical that it also be locally disabled if
    required.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Saturday, August 07, 2010 8:38 AM
  • On Sat, 7 Aug 2010 09:44:42 +0000, vgv8 wrote:

    The owner of the account, be it a user account or a computer account, needs
    to change their password so the change is always initiated locally

    Is the owner of computer account account a human?
    Iws the change always?interactive?

    No, of course not, the owner of the computer account is the computer and
    no, the password change for the computer account is never interactive.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Saturday, August 07, 2010 9:51 AM

All replies

  • In message
    <868f2d03-ca41-4746-8b19-f2405cdd799f@communitybridge.codeplex.com> vgv8
    was claimed to have wrote:

    What is computer account password?

    It depends on the context, if you're talking about an Active Directory
    domain, each computer has it's own password which is randomly generated
    by the computer and changed automatically on a schedule.

    There is no way to know what the password is, or change it manually.

    However, this might not be what you're talking about...

    Is it built-in Administrator password which is blank by default?

    It could be -- What is the context?

    Saturday, August 07, 2010 8:07 AM
  • I understood that AD machine/computer account is used by AD.
    Though, as I understood, automatic changes can be disabled locally
    (through  regedit).
    It does not seem logical to me - to be used centrally only but controlled locally...
    Saturday, August 07, 2010 8:12 AM
  • On Sat, 7 Aug 2010 08:12:06 +0000, vgv8 wrote:

    I understood that AD machine/computer account is used by AD.
    Though, as I understood, automatic changes can be disabled locally
    (through ?regedit).
    It does not seem logical to me - to be used centrally only but controlled locally...

    The owner of the account, be it a user account or a computer account, needs
    to change their password so the change is always initiated locally,
    therefore it is perfectly logical that it also be locally disabled if
    required.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Saturday, August 07, 2010 8:38 AM
  • In message
    <718cd890-2bbf-449d-9a9b-6227214e9d7d@communitybridge.codeplex.com> Paul
    Adare [MVP] was claimed to have wrote:

    On Sat, 7 Aug 2010 08:12:06 +0000, vgv8 wrote:

    I understood that AD machine/computer account is used by AD.
    Though, as I understood, automatic changes can be disabled locally
    (through ?regedit).
    It does not seem logical to me - to be used centrally only but controlled locally...

    The owner of the account, be it a user account or a computer account, needs
    to change their password so the change is always initiated locally,
    therefore it is perfectly logical that it also be locally disabled if
    required.

    Beyond what Paul said, also remember that this can be managed centrally
    through group policies if desired.

    Saturday, August 07, 2010 9:17 AM
  • The owner of the account, be it a user account or a computer account, needs
    to change their password so the change is always initiated locally


    Is the owner of computer account account a human?
    Iws the change always interactive?
    Saturday, August 07, 2010 9:44 AM
  • On Sat, 7 Aug 2010 09:44:42 +0000, vgv8 wrote:

    The owner of the account, be it a user account or a computer account, needs
    to change their password so the change is always initiated locally

    Is the owner of computer account account a human?
    Iws the change always?interactive?

    No, of course not, the owner of the computer account is the computer and
    no, the password change for the computer account is never interactive.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Saturday, August 07, 2010 9:51 AM
  • It was late to correct my question but I'd like to re-phrase my question...

    Suppose that computer is being booted, logon windows is being shown but user had never logged-in interactively.
    I am not sysadmin but I guess it is quite a possible scenario for server operating systems(?)
    So, it is enough for computer passwords to be regularly changed? 

    When I see logon screen, does it mean that computer account was logged-in already?
    Does user interactive login mean that both computer ccount and user account were logged-in simultaneously?

    Saturday, August 07, 2010 10:16 AM
  • On Sat, 7 Aug 2010 10:16:50 +0000, vgv8 wrote:

    It was?late?to correct my question but I'd like to re-phrase my question...

    Suppose that computer is being booted, logon windows is being shown but user had never logged-in interactively.
    I am not sysadmin but I guess it is quite a possible scenario for server operating systems(?)
    So, it is enough for computer passwords to be regularly changed??

    I don't understand your question here. Is what enough?


    When I see logon screen, does it mean that computer account was logged-in already?

    Not necessarily, no. It is possible that a domain controller was not
    available during the boot process or that for some reason a secure channel
    between the computer and a DC could not be established.

    Does user interactive login mean that both computer ccount and user account were logged-in simultaneously?

    No, interactive logon only refers to a user account, not a computer
    account.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Saturday, August 07, 2010 10:23 AM
  • "Active Directory comes to Linux with Samba 4" (Computerworld)

    • "They also discovered that machines would stop working after 28 days which was something to do with password expiry. We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random ____"

    Does this mean that disabling automatic password change will make Windows inoperable?

    Sunday, August 08, 2010 4:28 PM
  • On Sun, 8 Aug 2010 16:28:57 +0000, vgv8 wrote:

    Does?this mean that disabling automatic password change will make Windows inoperable?

    No.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, August 09, 2010 2:05 AM
  •  

    Hi,

     

    Thank you for your post here.

    When I see logon screen, does it mean that computer account was logged-in already?

    In the normal scenarios, yes. When you see the logon screen, the computer has logged onto the domain and access the group policy container and the SYSVOL share  to apply the group policy in the domain.

    Does user interactive login mean that both computer ccount and user account were logged-in simultaneously?

    No. Computers and users which are all considered as Security Principal are separate resources in the directory service. They log onto the domain separately. When the computer boots to the welcome screen, it has authenticated to the domain and acquire the proper token/ticket from AD. When a user attempt to log onto a domain-joined computer, he authenticates to the domain and get the ticket to access the domain resource (computer) which is called the interactive logon.

     

    Monday, August 09, 2010 3:40 AM
    Moderator
  •  

    Hi,

     

    Thank you for your post here.

    When I see logon screen, does it mean that computer account was logged-in already?

    In the normal scenarios, yes. When you see the logon screen, the computer has logged onto the domain and access the group policy container and the SYSVOL share  to apply the group policy in the domain.

    Does user interactive login mean that both computer ccount and user account were logged-in simultaneously?

    No. Computers and users which are all considered as Security Principal are separate resources in the directory service. They log onto the domain separately. When the computer boots to the welcome screen, it has authenticated to the domain and acquire the proper token/ticket from AD. When a user attempt to log onto a domain-joined computer, he authenticates to the domain and get the ticket to access the domain resource (computer) which is called the interactive logon.

     

    For me your "No'  means that user can login without any computer being logged-in but then you explain that user logs-in only after or above a computer being already authenticated.

    Under "simultaneously", I mean "in parallel", i.e. both computer account and user account are both logged-in when user logged-in.

    I cannot understand what do you mean under "No". 

    Monday, August 09, 2010 4:02 AM
  • When I see logon screen, does it mean that computer account was logged-in already?

    In the normal scenarios, yes. When you see the logon screen, the computer has logged onto the domain and access the group policy container and the SYSVOL share  to apply the group policy in the domain.

    Does user interactive login mean that both computer ccount and user account were logged-in simultaneously?

    No. Computers and users which are all considered as Security Principal are separate resources in the directory service.

     

     

    Well, Managing Samba: Windows network identity basics tells:

    • "The Unix operating system uses a separate name space for the UIDs and GIDs, but Windows allocates the RID from a single name space.

      A Windows user and a Windows group cannot have the same RID. Just as the Unix user root has the UID=0, the Windows administrator has the well-known RID=500. The RID is concatenated to the Windows domain SID, so administrator account for a domain that has the above SID will have the user SID S-1-5-21-726309263-4128913605-1168186429-500. Outside of the well-known accounts that have a globally consistent RID, the RIDs are allocated starting at RID=1000. The RID is appended to the SID of the machine with the result that every account in the Windows networking world will have a globally unique security identifier"

    + other docs essentially tell that Windows user identity is just merged with machine and domain SIDs in Windows AD.

    Also, I read that AD computer SID is created with the use of AD machine password.

    Does it mean that AD machine does not re-use existing on isolated (or workgroup), i.e. before joining to domain, machine SID? i.e. AD machine SID is created for machine during joining to domain? and is being changed with each of the automatic renewal of AD machine account password?    

    Tuesday, August 10, 2010 6:08 AM
  • On Tue, 10 Aug 2010 06:08:20 +0000, vgv8 wrote:

    + other docs essentially tell that Windows user identity is just merged with machine and domain SIDs in Windows AD.

    This statement doesn't mean anything and doesn't really make any sense.


    Also, I read that AD computer SID?is created with the use of AD machine password.

    Not true.


    Does it mean?AD machine does not re-use existing on isolated (or workgroup), i.e. before joining to domain, machine account?

    I don't really understand what you're asking here but prior to joining a
    domain, a computer doesn't have an account. There's no authentication store
    outside of the local computer when the computer isn't joined to a domain so
    there's no need for the computer itself to have an account.

    i.e. AD machine account is created for machine during joining to domain?

    An account for the computer in a domain can be created either prior to
    joining the domain or during the process of joining a domain one can be
    created automatically.


    Does it mean that AD machine's SID is being changed with the automatic?renewal of AD machine account password?

    No, not at all.

    You might want to do some further reading on SIDS -
    http://technet.microsoft.com/en-us/library/cc778824(WS.10).aspx


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Tuesday, August 10, 2010 10:14 AM