What does: "maximum machine account password age" influence?

Glenn L

2005-01-30 23:47:22 UTC

This contols how often a member computer will change its account password
with the domain.
It does NOT control user passwords.
The default interval for computers is 30 days. It is the member computer
that initiates a password change, and if the compter is off for greater than
30 days, it will update its password the next time it is turned on.
AD will not disable a computer account for simply being offline for greater
than 30 days.

When a computer is removed from the domain, its computer object becomes
disabled.
There is no purging mechanism to permanently remove them.

If you want to find old computers that have not been online in ages, you
will need to query the pwdlastset attribute.
I have seen plenty of posts about vbscripts that do this for you. Do a
search, and I suspect you will find one.
--
Glenn L
CCNA, MCSE 2000/2003 + Security

Post by Hans Klinger
Computer configuration
- Windows Security
- Security Settings
- Local Policies
- Domain Member: Maximum machine account password age
My guess is that computer passwords aswell as user passwords needs to be
changed to insure proper security and if I set this to 30 days and a
workstation is offline for more than 30 days the machine account in Active
Directory becomes invalid and marked with a red X.
Please explane to me what this setting does.
I'm looking for a setting or knowledge of how old computer accounts in
active directory is cleaned, marked with a red X or whatever. If I look in
the ADUC\Computers there is alot of computer acounts that dont exist
anymore, when are they flushed?