Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
Hi, this is Manish Singh from the Directory Services team and I am going to talk about the machine account password process. Ever wondered what goes on with your machine account in Active Directory? Here is a brief set of question and answers to clear things up.
Question: How often does the machine password account change in AD (is it different for various Windows operating systems)?Answer: The machine account password change is initiated by the computer every 30 days by default . Since Windows 2000, all versions of Windows have the same value. This behaviour can be modified to a custom value using the following group policy setting in Active Directory.
Domain member: Maximum machine account password age You can configure this security setting by opening the appropriate policy and expanding the console tree as such:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Question: If a workstation does not change its password, will it not be allowed to log onto the network?Answer: Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.
The relevant Netlogon parameters that come into play and we can think about changing here are: ScavengeInterval (default 15 minutes), MaximumPasswordAge (default 30 days) DisablePasswordChange (default off). DisablePasswordChange would prevent the client computer from changing its computer account password.
Warning If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller.
Here is the article that talks about disabling automatic machine account password change.
KB 154501Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\ParametersValue = DisablePasswordChange REG_DWORDDefault = 0Group policy setting:Computer Configuration\windows Settings\Security settings\Local Policies\Security Options
Domain member: Disable machine account Password changesScavengeInterval controls how often the workstation scavenger thread runs - the workstation scavenger is responsible for changing the machine password if necessary.
HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\ParametersValue: ScavengeInterval REG_DWORD 60 to 172800 Seconds (48 hours)Default : 900 (15 minutes)MaximumPasswordAge determines when the computer password needs to be changed.Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\ParametersValue = MaximumPasswordAge REG_DWORDDefault = 30Range = 1 to 1,000,000 (in days)
Group policy setting:Computer Configuration\windows Settings\Security settings\Local Policies\Security Options
Domain member: Maximum machine account Password age
To clear things up, it is 7 days on Windows NT by default, and 30 days on Windows 2000 and up.
The trust password follows the same setting. So Trust between two NT 4 domains is 7 days. Trusts between Windows 2000 and up and anything else is 30 days.
So what this means is if 2000 and NT4 trust password is 30 days.
2000 to 2000 is 30 days.
2000 to 2003 is 30 days.
2003 to 2003 is 30 days.
After Netlogon service starts the Workstation service scavenger thread wakes up. If the password is not older than MaximumPasswordAge, the scavenger thread goes back to sleep and sets itself to wake up when the password will reach that age. Otherwise, the scavenger thread will attempt to change the password. If it cannot talk to a DC, it will go back to sleep and try again in ScavengeInterval minutes. The ScavengeInterval setting can be modified to a custom value using the group policy setting in Active Directory.
Group policy setting:Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval Further we have given the following clarification regarding the behaviour described in http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/55944.mspx?mfr=true
KB260575.
Question: How do computers actually use passwords?
Answer: Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages.When a client determines that the machine account password needs to be changed, it would try to contact a domain controller for the domain of which it is a member of to change the password on the domain controller. If this operation succeeds then it would update machine account password locally.
We first change the password locally and then update it in Active Directory. It will not rollback the changes to the current password if it is unable to update it in Active Directory.
The local copy of the machine password is stored under:
HKLM\SECURITY\Policy\Secrets\$machine.ACC
We store the current password and the previous password under
CurrVal & OldVal Keys respectively
In Active Directory, we store the password in unicodepwd and lmpwdHistory. We also store the timestamp in the pwdlastset attribute (the method to convert it into readable format is
· Convert the value in the attribute from decimal to hex (using calc.exe)
· Split the result into two equal parts (8 bits for each part)
· Run nltest /time: rightsidehex leftsidehex
The resultant value is the date and time the password was set on this computer object in AD
The cases where in you could run into problems that the KB260575 describes would be: If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed.
Now consider the scenario, when a machine is not connected to the network for a long period.
Supposing on the client:
Old password = null Current password = A
New random password = B
And on the machine account in AD:
unicodePWD = A
After 30 days when the Scavenger thread runs, the value would be
Old Password = A
Current Password = B
At 60th day the same process happens again. So now the newly generated password is C and the values are:
Old password = B
Current Password = C
Now when the client connects to AD, it will try the current password to authenticate. When that fails with the errorOtherwise machine should be able to reset its password once it boots even after say 90 days.
How to detect and remove inactive machine accountshttp://support.microsoft.com/default.aspx?scid=kb;EN-US;197478
Resetting computer accounts in Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216393
I would recommend the following KB articles as good reads:
How to disable automatic machine account password changeshttp://support.microsoft.com/default.aspx?scid=kb;EN-US;154501
Effects of machine account replication on a domainhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;175468
Domain member: Disable machine account password changeshttp://technet.microsoft.com/en-us/library/cc785826.aspx
Domain member: Maximum machine account password agehttp://technet.microsoft.com/en-us/library/cc781050.aspx
Threats and Countermeasures http://technet.microsoft.com/hi-in/library/dd162275(en-us).aspx
Account Passwords and Policieshttp://technet.microsoft.com/en-us/library/cc783860.aspx
To wrap it up Machine account password are driven by Client computer not by Active directory. The Netlogon scavenger thread is responsible for changing the Machine password if necessary the same can be modified by group policy.
- Manish Singh
Just for clarity. Previous machine account passwords are not retained in Active Directory.
This means that as soon as a machine account password is changed, any backup images of that computer will contain an invalid machine account password.
At this point, restoring a previous backup image will require manipulating the machine account password to resync the machine account password with the domain.
The following link has a nice set of tools to test and verify the machine account password.
http://blogs.msdn.com/sudhakan/default.aspx
Do you have any idea of the ikelihood of the last sentence occurring in an enterprise is ?
silly robert_r, when he says 'we' he means its auotmatically done locally by the computer and then updated in AD, if however AD is not contactable then then PC's password will then be out of sync, resulting in computer account issues which may require a reset/rejoin to the domain.
xo
Do computers change password when connecting to the network via VPN? Or does the procedure apply only to local logons?
They would at least try - Netlogon doesn't distinguish between different network types. If the password was expired and the computer booted up then failed to reach a DC (because the VPN was not started yet) then the ScavengeInterval registry value will determine how long it will wait before trying again - default is 15 minutes. You might need to lower it if user VPN connections are very short-lived.
Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally.
Does this mean even if a computer power on everyday ,but cannot reach a DC ,it will not change password locally. Once network is ok and it can reach a DC,the computer can change local password and update in AD.