> Probably more than you ever wanted to know > about machine account password changes.
No not at all, all of the technical detail you can share is always good Steve. Thanks! joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, May 30, 2006 11:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) "NORTHAMERICA" 0xc000005e c000005e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Wednesday, May 24, 2006 9:41 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Machine Psswd Age > >I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. > >I have never seen a machine change its password at the 50% age and I >have looked at this quite a bit for various[1] reasons. > > > joe > > > > >[1] OldCmp being one of them... > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob >Sent: Wednesday, May 24, 2006 3:21 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Machine Psswd Age > >The default was 7 days for NT, increased to 30 in W2K and above. See >http://support.microsoft.com/kb/154501/ or q175468 or any of the old >domain sizing docs. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >Simon-Weidner >Sent: Wednesday, May 24, 2006 11:52 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Machine Psswd Age > >AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), >but the computer accounts starts to request renewal after 50% of the >time is over. After 30 days it'll change it if being logged onto the >domain for sure (unless otherwise configured or connected). > >Gruesse - Sincerely, > >Ulf B. Simon-Weidner > > Profile & Publications: >http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >9-F2F1214 >C811 >D > Weblog: http://msmvps.org/UlfBSimonWeidner > Website: http://www.windowsserverfaq.org > > > > >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue >>Sent: Wednesday, May 24, 2006 5:04 PM >>To: ActiveDir@mail.activedir.org >>Subject: [ActiveDir] Machine Psswd Age >> >>Anyone know how often machine passwords are renew/reset in the domain? >> >>-Z.V. >> > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx