Thanks Ulf... How sure are you on the half life thing. I watched thousands of machines and they always went to 30 days before changing, I didn't see any half life or even 3/4 life changing at all. Any additional docs on that functionality or this based on personal testing?
One thing I do recall seeing is that if we created machine accounts for 2K more than 30-40 days in advance the server admins would have problems with the initial joins. We never got a chance to dig into that with serious testing, have you encountered anything like that. This is one of the topics that is interesting to know but don't really want to dig seriously into as there are just too many other things to figure out. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Saturday, May 08, 2004 4:30 AM To: [EMAIL PROTECTED] Subject: AW: [ActiveDir] Cached Domain Credential logon expiry for Win2k/X P Hi Joe, AFIAK the passwords of the computer accounts are not set to expire, but they are automatically changed. The password change is done from the netlogon service. The default time in NT was 15 days, changed to 30 days in W2k and later. The client might decide to change after the half of the period is over, but has to change when it's over. So technically your NT4 client might change it's password after 7,5 days, the WXP client after 15 days. It like in DHCP - half time of the period is over and it's up to client and server to decide when it's convenient to change. But there's also a registry key underneath Netlogon/Parameters, which sets on the client not to change the password, or vice versa on the DCs to refuse password change requests. So if you have a client who never exchanged his password, it will still work. However, if you have a client which was imaged, backed up, or running in a virtual machine using some roll back to snapshot feature, the following might occur: 1. The state of the client is backuped / snapshotted 2. The client runs in the domain, whenever it decides it'll change his computer password (NT4 earliest 7,5 days after joining the domain/resetting the password, WXP 15 days) 3. After the client changed his password, you roll back the machine. So if there was just one change, the AD remembers the last computer account password. A NT4 Domain does not, so the client in the NT4 Domain is not able to connect to the domain. If there was more than one change of the computer account password between the client and the domain, you can not log on to the domain. You'll need to reset the computer account password first. So especially for your Virtual Machines to test stuff there might be a reason to disable the password change on the client side. If the client does not change, the DC never will. Same as your user account password - if the user never decides to change the password the DC will not send him a mail with his new password ;-). And as I mentioned earlier, I'm quite sure that the password is not set to expire in the domain. Look at KB 154501 (old KB, but AFAIK still valid) on how to disable the password change of the computer account either on the client or the server side. Thinking of it - it would be a great security enhancement to set the computer account passwords to expire after a certain time. Because with the current behavior a client which was out of the domain for ages will always be able to log back onto it - since the client didn't had a contact to the domain it didn't change the password. So the old one is still valid. I believe the computer would not be able to handle the expired passwords, but WTH - if you set the period long enough this will never happens since he's used to change it's password frequently anyways. But since we are not able to do this as of today ... OK - enough for now - just my 0.02� Ulf -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von joe Gesendet: Donnerstag, 6. Mai 2004 14:31 An: [EMAIL PROTECTED] Betreff: RE: [ActiveDir] Cached Domain Credential logon expiry for Win2k/X P I am actually starting to wonder on this and how it actually works and now have some new theories. I recently had to troubleshoot an issue and there were machines with passwords that were greater than 600 days old. The password had never been changed from the first day the machines were added to the domain and the machines WERE working fine with the domain. The issue ended up being that NETLOGON service had been disabled on the workstation. This made it so you couldn't use any local principals but you could still logon with a domain ID. The NETLOGON service is what keeps the passwords getting updated as well as the SP level and probably some other things in AD. I am sure there were probably some other things that weren't working quite exactly as expected either but the users seemed to have no issues. As soon as the service was restarted, the password changes started occurring again. I didn't have a chance to really dig into why the accounts kept working whether it was some special flag or not, we just wanted it cleaned up. Since the passwords were that old though and the people could still use the domain, it makes me wonder if the passwords truly "break" for workstations, if it isn't on the workstation side versus the domain side.... I.E. The workstation is completely responsible for whole process and you actually have no control from the domain side. I always wondered how the regedit on the workstation could change the functionality, this would explain that. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, May 06, 2004 7:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Cached Domain Credential logon expiry for Win2k/X P Default password aging for machine accounts is 30 days in AD and 7 days in NT4 domains.. Now - it will support current and previous, I believe, so techically you can get 60 days out of it, IIRC. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 06, 2004 6:54 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Cached Domain Credential logon expiry for > Win2k/XP > > There is not a time limit for cached credentials, but if the machine > does not change its password it will not be able to talk to the domain > when it returns. The default time for this is 90 days. > > Denny > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, May 05, 2004 12:01 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Cached Domain Credential logon expiry for > Win2k/XP > > > Our cached logon expert is Rick, he should be along shortly with > info... :o) > > I do not believe that there is an expiration. However a simple test > would be to take a test domain and set the password policy to 1 or > 2 days and then join a laptop and see what happens if you don't log on > to the domain for 3 or 5 days or whatever. > > joe > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, May 05, 2004 11:47 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Cached Domain Credential logon expiry for > Win2k/XP > > > > Does anyone know how long cached credentials for domain logons are > valid on Win2K/XP machines? Is there even an expiry date? A concern > was raised by our desktop OS group that cached credentials for domain > logons may expire for laptop users who spend considerable time away > from the office, leaving them unable to access the workstation. In My > life as a road warrior, I never had this happen to me, but I was never > way from a network connection (VPN or otherwise) for more than 2 > weeks. > > I have been searching for a definitive answer in terms of a KB > article or some other "authoritative source" ( I guess my trust me > response was not authoritative enough), but have been unable to find > one. > > > > David Frost > Directory Engineering, > Messaging, Directories and PKI Engineering Services > Industry Canada > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
