+ Post New Thread
Results 1 to 5 of 5
Windows Server 2008 R2 Thread, Implications of changing "Maximum machine account password age" policy in Technical; Hello. I have written a PowerShell script that will disable and delete old computers from Active Directory. The script uses ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441

    Implications of changing "Maximum machine account password age" policy

    Hello.

    I have written a PowerShell script that will disable and delete old computers from Active Directory. The script uses the time period since the machine password was last changed. To get a more accurate result i am considering changing the Maximum machine account password age policy.

    I have one question. If I change the policy from the default of 30 day to say 5. If a computer is turned off for 6 weeks and then is turned on will that machine loose the trust with the domain please?

    All clients on the domain are running Windows 7 with Server 2008 R2.

    Many Thanks

  2. #2


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,701
    Thank Post
    220
    Thanked 2,609 Times in 1,921 Posts
    Rep Power
    776
    Don't you mean 6 days? Either way, it's not recommended.

    In some countries where workers get several weeks of vacation, it is not uncommon for a worker to take four weeks off at a stretch. (This could also be the situation in a job share arrangement.) When the worker comes back, the computer does not talk to the domain.

    There are a couple of ways to handle this. One way is to increase the amount of time between the changes of the secure channel password (but I do not recommend this). Another way is to remove the computer from the domain, reboot the computer, join the computer to the domain, and reboot again. On my laptop (where it takes nearly 10 minutes for the laptop to become usable after a reboot), we are talking about a 30 minute process.

    There are other alternatives to this multiple reboot scenario. Each of these solutions could easily be placed into a Windows PowerShell script. (Source)

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441
    So i am likely to get the trust issue. On the MS forums someone put "If a computer is turned off for 6 weeks when it turns on again it will automatically renew its password."

    The issue i could see if a laptop is being used at home for a period of time. I could always just set the policy for desktops.

  4. #4


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,504
    Thank Post
    227
    Thanked 848 Times in 727 Posts
    Rep Power
    287
    could you try it on a test vm with a test policy set for as short a period of time as you can then just turn vm off for a week os so see what happens?

    as i suspect its one of those policies where ask 3 people and you will get 3 diff answers and its also liable to come back and bite you in the bum if you do roll it out
    Last edited by sted; 5th March 2012 at 02:37 PM.

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441
    Quote Originally Posted by sted View Post
    could you try it on a test vm with a test policy set for as short a period of time as you can then just turn vm off for a week os so see what happens?

    as i suspect its one of those policies where ask 3 people and you will get 3 diff answers and its also liable to come back and bite you in the bum if you do roll it out
    Its funny you should say that. I did do that and i booted the machine forgetting i was testing

SHARE:
+ Post New Thread

Similar Threads

  1. How to change Maximum Password Age through GPO
    By shirzay in forum How do you do....it?
    Replies: 13
    Last Post: 25th August 2009, 10:02 AM
  2. Locked Out Of Windows XP Domain Machine
    By mrcrazy04 in forum Windows
    Replies: 9
    Last Post: 15th March 2007, 05:54 PM
  3. Replies: 14
    Last Post: 1st March 2007, 11:21 PM
  4. Transfer Accounts & Passwords from NT4 PDC to Server 2003
    By OutToLunch in forum How do you do....it?
    Replies: 11
    Last Post: 24th July 2006, 02:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •