Since the Password Age for Machine accounts can be misleading and since I did not find this information logged anywhere in the internet, I thought worthy to dedicate a blog post to some facts, to clear things up for anyone who is worried about Password Age of his Machine Accounts.
Here we go:
· Machine account passwords as such do not expire in Active Directory:
o They are exempted from the domain's password policy.
o Machine account password changes are driven by the CLIENT, and not the Active Directory!!!
o As long as no one has disabled or deleted the machine account or tried to add a machine with the same name to the domain, the machine will continue to work no matter how long it has been since its machine account password was initiated and changed.
· So if a machine is e.g. offline for 3 months the Machine Account does not expire due to Password Age.
o When the machine boots, it will notice that its password is older than 30 days and will initiate action to change it.
o The Netlogon service on the client is responsible for doing this.
· The relevant NETLOGON parameters that can be tweaked are:
o ScavengeInterval (default value is 15 minutes)
o MaximumPasswordAge (default value is 30 days)
o DisablePasswordChange (default value is off)
DisablePasswordChange would prevent the client computer from changing its machine account password. You should not enable this.
Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = DisablePasswordChange REG_DWORD 1
Default = 0
ScavengeInterval controls several things, but on a workstation it mostly controls, how often the workstation scavenger thread runs - the workstation scavenger is responsible for changing the Machine password if necessary.
MaximumPasswordAge determines when the password needs to be changed.
Value = MaximumPasswordAge REG_DWORD
Default = 7
Range = 1 to 1,000,000 (in days)
ScavengeInterval (in minutes) - after NETLOGON starts, the Workstation Scavenger thread wakes up.
If the password is not older than MaximumPasswordAge, the Workstation Scavenger goes back to sleep and sets itself to wake up when the password will reach that age.
Otherwise, Workstation Scavenger will attempt to change the password. If it cannot talk to a DC, it will go back to sleep and try again in ScavengeInterval minutes.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value: ScavengeInterval REG_DWORD 60 to 172800 Seconds (48 hours)
Default : 900 (15 minutes)
The ScavengeInterval setting can be modified to a custom value using the Group Policy setting in Active Directory. You can configure this setting by opening the appropriate policy and expanding the console tree as such:
Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval.
The default value is 900 seconds (15 minutes).
· Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account.
o When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password.
o If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate and you may receive error messages.
· When a client determines that the machine account password needs to be changed:
o It would try to contact a domain controller for the domain of which it is a member of to change the password on the domain controller.
o If this operation succeeds then it would update machine account password locally.
o In other words the client needs to first update its machine account password in AD before it updates it locally.
· There are some cases where you could run into problems with password change:
o If you use System Restore after the password change interval expired one time and you restore the computer to a point before the password changes, the next password change may not occur when it is due.
§ Instead, the operating system treats the restore as if the password was changed.
o If you use System Restore after the password change interval expired two times, and you restore the computer to a point before the password changes, the domain users accounts on the computer are disabled and users receive an error message when they try to log on.
o Otherwise machine should be able to reset its password once it boots even after say 90 days.
· Regarding VPNs:
o If a laptop with a machine account password older than MaximumPasswordAge is connected to a VPN through which it can contact a DC for its domain
§ Then that machine’s account password will be changed as long as the workstation scavenger thread has a chance to run (i.e. if the laptop remains connected to the VPN for at least ScavengeInterval minutes, the password will be changed).
o The age of a machine account password must reach expiry in order for the machine account to be considered stale, it is very dependent on the environment.
§ For reference:
How to detect and remove inactive machine accounts
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197478
How to disable automatic machine account password changes
http://support.microsoft.com/default.aspx?scid=kb;EN-US;154501
Effects of machine account replication on a domain
http://support.microsoft.com/default.aspx?scid=kb;EN-US;175468
Domain member: Disable machine account password changes
http://technet.microsoft.com/en-us/library/cc785826.aspx
Domain member: Maximum machine account password age
http://technet.microsoft.com/en-us/library/cc781050.aspx
Threats and Countermeasures
http://technet.microsoft.com/hi-in/library/dd162275(en-us).aspx
Account Passwords and Policies
http://technet.microsoft.com/en-us/library/cc783860.aspx
Also some useful troubleshooting steps I have used to see why the Password of the Machine Account does not change are:
1. Is that machine joined to the domain? Can it ping one of the Domain Controllers?
2. Is that machine a physical machine? (i.e. it is not a cluster name that may not have permissions to access Active Directory objects)
3. Is the machine account of this machine enabled in Active Directory?
4. Make sure the Net Logon service is Started, its Startup type is set to automatic and the service logon account is the Local System account.
5. Make these changes in the registry:
a. Make sure the value of DisablePasswordChange (HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters) is set to 0 (so that password change is enabled).
b. Change the value of MaximumPasswordAge (HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters) to 1 (1 day).
c. Change the value of ScavengeInterval (HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters) to 300 (300 seconds).
6. Restart the Net Logon service to apply the changes.
Also, special attention is needed if you are troubleshooting Machine Accounts that are the virtual name of a Windows cluster:
“The accounts of object types ‘Network Name Resource’ which are created during the installation of Windows 2003 (cluster), differ from the normal accounts of computers, because these NEVER revalidate internal his password with the AD. Therefore they do not update value of “password age”, which usually confuses the AD administrators who perceive this accounts like in “disuse”. The recommendation of Microsoft in this sense, is to locate these accounts in a special OU and separate them, that allows a customized administration.”
I hope I have cleared up some common misunderstandings about Password Age and Machine Accounts :)
Disclaimer
This is a personal weblog. The opinions expressed here represent my own and not those of my employer. The steps are provided “as is” without a warranty of any kind.