Correction: the GDO and I are tied. I posted again this morning, just to spite you.
~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 01, 2006 6:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] Machine Psswd Age Hey you, the garage door opener, and ~Eric[1] could all share a blog! You would still need to do a majority of the posting but occasionally they would kick something in. :) Certainly I would be an avid reader. joe [1] Who is actually being beat out this year in blog entries by the person he made fun of for having a blog and not posting.... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, June 01, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000ffff to get the standard output and 0x2080ffff and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age > Probably more than you ever wanted to know about machine account > password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and "reset password on a computer account" discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) "NORTHAMERICA" 0xc000005e c000005e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Wednesday, May 24, 2006 9:41 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Machine Psswd Age > >I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. > >I have never seen a machine change its password at the 50% age and I >have looked at this quite a bit for various[1] reasons. > > > joe > > > > >[1] OldCmp being one of them... > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob >Sent: Wednesday, May 24, 2006 3:21 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Machine Psswd Age > >The default was 7 days for NT, increased to 30 in W2K and above. See >http://support.microsoft.com/kb/154501/ or q175468 or any of the old >domain sizing docs. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >Simon-Weidner >Sent: Wednesday, May 24, 2006 11:52 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Machine Psswd Age > >AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), >but the computer accounts starts to request renewal after 50% of the >time is over. After 30 days it'll change it if being logged onto the >domain for sure (unless otherwise configured or connected). > >Gruesse - Sincerely, > >Ulf B. Simon-Weidner > > Profile & Publications: >http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >9-F2F1214 >C811 >D > Weblog: http://msmvps.org/UlfBSimonWeidner > Website: http://www.windowsserverfaq.org > > > > >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue >>Sent: Wednesday, May 24, 2006 5:04 PM >>To: ActiveDir@mail.activedir.org >>Subject: [ActiveDir] Machine Psswd Age >> >>Anyone know how often machine passwords are renew/reset in the domain? >> >>-Z.V. >> > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
