Machine Account Password Changes - What Triggers Them? How to Vali

[Guest Matt]

Can you explain to me a few things about machine account password changes.

This is a single forest AD Windows Server 2003 forest, running forest

functional level.

 

The default settings for machine related password changes apply.

 

- Domain member: Maximum machine account password: 30 days

- Domain member: Disable machine account password changes: Disable

 

Do you know what triggers a machine account password to change? Would it be

a Group Policy Update (60 minute background refresh)? Or would it be a

machine restart? I need something definite and I am not able to find it

documented.

 

When a machine account password does change, how do you validate that a

machine account password change occurred? Event ID on DC? Machine Account

Object Gets Modified in AD?

 

The reason I ask is because we want to run a machine account cleanup script

http://www.rlmueller.net/MoveOldComputers.htm which checks the PwdLastSet

atribute. However, we want to know what triggers the machine account password

to be reset because there are alot of machines that may not have users logged

on for a long period of time. We therefore want to ensure that we dont cause

a big management nightmare by setting the password change time interval on

the script too low.

 

Thanks for your input.

[Guest USN9AWM@gmail.com]

Re: Machine Account Password Changes - What Triggers Them? How toVali

 

Re: Machine Account Password Changes - What Triggers Them? How toVali

 

On Jun 24, 9:38 pm, Matt <M...@discussions.microsoft.com> wrote:

> Can you explain to me a few things about machine account password changes..

> This is a single forest AD Windows Server 2003 forest, running forest

> functional level.

>

> The default settings for machine related password changes apply.

>

> - Domain member: Maximum machine account password: 30 days

> - Domain member: Disable machine account password changes: Disable

>

> Do you know what triggers a machine account password to change? Would it be

> a Group Policy Update (60 minute background refresh)? Or would it be a

> machine restart? I need something definite and I am not able to find it

> documented.

>

> When a machine account password does change, how do you validate that a

> machine account password change occurred?  Event ID on DC? Machine Account

> Object Gets Modified in AD?

>

> The reason I ask is because we want to run a machine account cleanup scripthttp://www.rlmueller.net/MoveOldComputers.htmwhich checks the PwdLastSet

> atribute. However, we want to know what triggers the machine account password

> to be reset because there are alot of machines that may not have users logged

> on for a long period of time. We therefore want to ensure that we dont cause

> a big management nightmare by setting the password change time interval on

> the script too low.

>

> Thanks for your input.

 

I believe that it is done via the GPO refresh policy.

If you are using the default of 30 days, set your script to 60.