> Probably more than you ever wanted to know
> about machine account password changes.
No not at all, all of the technical detail you can share is always good
Steve.
Thanks!
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Tuesday, May 30, 2006 11:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age
Just to add some additional detail. The machine account password is
actually changed every 30 days plus a random offset of up to 24 hours so
~31 days as a maximum by default with Windows 2000 and later OSes. This
is done by the netlogon service on the client and there is a scavenger
thread that wakes up and performs the reset once this threshold is met.
If the it cannot reach a Domain Controller it will go back to sleep and
wake up every 15 minutes to try and reset the password. You can see
this behavior by turning up netlogon debug logging and see the following
output:
Success:
05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it.
05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password
changed in LsaSecret
05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password
updated on PDC
05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days
(0x9a7ec800)
Failure:
05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it.
05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup
05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous
Discovery
05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC.
05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup:
cannot pick trusted DC
05/16 01:14:05 [MISC] Eventlog: 5719 (1) "NORTHAMERICA" 0xc000005e
c000005e ^...
05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup
Failed
05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes
(0xdbba0)
Random Offset:
05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days
(0x9d671aca)
Since the value is in milliseconds when converting this you will see in
the random offset case the value is really ~30.56 days where the one in
success is exactly 30 days. Probably more than you ever wanted to know
about machine account password changes.
Thanks,
-Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Sunday, May 28, 2006 3:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age
Hmm - I can not find where I got this information from. The KB about
disablePasswordChange has not been updated pretty long (still stated
only NT in the early WS2k3 days).
The following page even states that the NT4 Workstation changes the
password every 3 days, and retries after another 3 days:
http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf
r=tr
ue
However I stand corrected - need to update my brains cache from google
more often - to bad brains don't support TTL of websites.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of joe
>Sent: Wednesday, May 24, 2006 9:41 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Machine Psswd Age
>
>I agree with Bob. Seven days pre-W2K, 30 days for W2K and better.
>
>I have never seen a machine change its password at the 50% age and I
>have looked at this quite a bit for various[1] reasons.
>
>
> joe
>
>
>
>
>[1] OldCmp being one of them...
>
>--
>O'Reilly Active Directory Third Edition -
>http://www.joeware.net/win/ad3e.htm
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
>Sent: Wednesday, May 24, 2006 3:21 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Machine Psswd Age
>
>The default was 7 days for NT, increased to 30 in W2K and above. See
>http://support.microsoft.com/kb/154501/ or q175468 or any of the old
>domain sizing docs.
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
>Simon-Weidner
>Sent: Wednesday, May 24, 2006 11:52 AM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Machine Psswd Age
>
>AFAIK the password change interval is set to 30 in XP (15 in NT, W2k),
>but the computer accounts starts to request renewal after 50% of the
>time is over. After 30 days it'll change it if being logged onto the
>domain for sure (unless otherwise configured or connected).
>
>Gruesse - Sincerely,
>
>Ulf B. Simon-Weidner
>
> Profile & Publications:
>http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48
>9-F2F1214
>C811
>D
> Weblog: http://msmvps.org/UlfBSimonWeidner
> Website: http://www.windowsserverfaq.org
>
>
>
>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
>>Sent: Wednesday, May 24, 2006 5:04 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: [ActiveDir] Machine Psswd Age
>>
>>Anyone know how often machine passwords are renew/reset in the domain?
>>
>>-Z.V.
>>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
