On Thu, Aug 26, 2021 at 8:11 PM Christian, Mark <mark.christ...@intel.com> wrote: > [W]hy bother with updating the machine account password?
For sites that have a lot of machine churn, where machine accounts aren't reliably purged from AD when the underlying host is decommissioned, disabling and/or purging machine accounts with old passwords is essentially a garbage collection activity, to prevent stale machine accounts from continuing to exist in AD in perpetuity. Also, some sites must conform with security guidelines that *require* frequent changes of machine account passwords: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2021-03-05/finding/V-225033 Granted, that STIG rule applies to Windows machine accounts, not Linux machine accounts, but disabling any machine account in AD whose password is older than 30 days is one way to detect any Windows clients that are nonconforming with the STIG. And in many cases it's easier to apply that rule globally than on a per-OU basis (to exempt non-Windows machine accounts). _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
