Click here to get back home

Maximum machine account password age
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Maximum machine account password age MC 03-14-2006
Posted by MC on March 14, 2006, 6:24 am
Please log in for more thread options
 Hi,

The default value for "Domain member: Maximum machine account password age"
is 30 days on Windows XP and Windows Server 2003 Machines.
The question is, what happens to the computer account if the windows box is
offline for more than 30 days. Will windows try to change the computer
account password after the 30-day-period when it becomes online again ? Will
there be any authentication troubles ?

Thanks
MC



Posted by Roger Abell [MVP] on March 14, 2006, 10:12 am
Please log in for more thread options
 IIRC the current and last passwords are available.
At the designated time the pwd is changed if both parties are
in communication, else when they are both present. If one
"forgets", such as be a restore, the most recent is available.
I have never caught mention of any locking mechanism that
would come into play if the pwds were all too old and had
not been changed.

> Hi,
>
> The default value for "Domain member: Maximum machine account password
> age" is 30 days on Windows XP and Windows Server 2003 Machines.
> The question is, what happens to the computer account if the windows box
> is offline for more than 30 days. Will windows try to change the computer
> account password after the 30-day-period when it becomes online again ?
> Will there be any authentication troubles ?
>
> Thanks
> MC
>
>



Posted by MC on March 14, 2006, 10:51 am
Please log in for more thread options
thanks Roger



> IIRC the current and last passwords are available.
> At the designated time the pwd is changed if both parties are
> in communication, else when they are both present. If one
> "forgets", such as be a restore, the most recent is available.
> I have never caught mention of any locking mechanism that
> would come into play if the pwds were all too old and had
> not been changed.
>
>> Hi,
>>
>> The default value for "Domain member: Maximum machine account password
>> age" is 30 days on Windows XP and Windows Server 2003 Machines.
>> The question is, what happens to the computer account if the windows box
>> is offline for more than 30 days. Will windows try to change the computer
>> account password after the 30-day-period when it becomes online again ?
>> Will there be any authentication troubles ?
>>
>> Thanks
>> MC
>>
>>
>
>



Posted by Joe Richards [MVP] on March 18, 2006, 7:49 pm
Please log in for more thread options
Computer password accounts don't expire. In fact computers don't ever have to
change their password, you could have password policy of 30 days and computers
with passwords 2500 days old will still be working just fine.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



MC wrote:
> Hi,
>
> The default value for "Domain member: Maximum machine account password age"
> is 30 days on Windows XP and Windows Server 2003 Machines.
> The question is, what happens to the computer account if the windows box is
> offline for more than 30 days. Will windows try to change the computer
> account password after the 30-day-period when it becomes online again ? Will
> there be any authentication troubles ?
>
> Thanks
> MC
>
>

Posted by Paul Adare on March 19, 2006, 3:50 am
Please log in for more thread options
microsoft.public.windows.server.security news group, Joe Richards [MVP]

> Computer password accounts don't expire. In fact computers don't ever have to
> change their password, you could have password policy of 30 days and computers
> with passwords 2500 days old will still be working just fine.
>

Perhaps this is a semantics issue but computer account passwords do in
fact expire and are changed on a regular basis. As an experiment, setup
a DC and a member computer in two virtual machines with undo disks
enabled. After a period of time (which will vary depending on the OS in
use) shut down and save changes on the DC and then shut down and discard
changes on the member computer. Restart both and see what happens.

Again, knowing what Joe knows, I'm assuming that this is just semantics
and that I'm probably reading his response in a way that is different
from what he intended. He is definitely correct that password expiration
policy does not affect computer account passwords.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

Similar ThreadsPosted
IP of machine locking account? March 13, 2008, 8:49 am
Changing local admin password on a set of machine in an ad network ? June 6, 2005, 1:28 pm
machine password expiration in the 2003 domain environment April 14, 2008, 10:57 am
Computer Account Password November 6, 2007, 5:30 am
User account - password attribute ? February 21, 2006, 4:23 pm
Built-in domain admin account password will expire January 3, 2007, 3:03 pm
Administrator account disabled but still get "incorrect password" errors in Event log May 4, 2008, 2:11 pm
Administrator account disabled but still get "incorrect password" errors in Event log May 4, 2008, 2:12 pm
Machine does not respond. June 28, 2005, 12:42 pm
Any Way To Get Machine Name for Client in Event ID 560? November 13, 2005, 6:38 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap