Windows Server 2008 R2 Thread, Implications of changing "Maximum machine account password age" policy in Technical; Hello.
I have written a PowerShell script that will disable and delete old computers from Active Directory. The script uses ...
5th March 2012, 01:30 PM #1
Implications of changing "Maximum machine account password age" policy
I have written a PowerShell script that will disable and delete old computers from Active Directory. The script uses the time period since the machine password was last changed. To get a more accurate result i am considering changing the Maximum machine account password age policy.
I have one question. If I change the policy from the default of 30 day to say 5. If a computer is turned off for 6 weeks and then is turned on will that machine loose the trust with the domain please?
All clients on the domain are running Windows 7 with Server 2008 R2.
5th March 2012, 02:01 PM #2
Don't you mean 6 days? Either way, it's not recommended.
In some countries where workers get several weeks of vacation, it is not uncommon for a worker to take four weeks off at a stretch. (This could also be the situation in a job share arrangement.) When the worker comes back, the computer does not talk to the domain.
There are a couple of ways to handle this. One way is to increase the amount of time between the changes of the secure channel password (but I do not recommend this)
. Another way is to remove the computer from the domain, reboot the computer, join the computer to the domain, and reboot again. On my laptop (where it takes nearly 10 minutes for the laptop to become usable after a reboot), we are talking about a 30 minute process.
There are other alternatives to this multiple reboot scenario. Each of these solutions could easily be placed into a Windows PowerShell script
5th March 2012, 02:22 PM #3
So i am likely to get the trust issue. On the MS forums someone put "If a computer is turned off for 6 weeks when it turns on again it will automatically renew its password."
The issue i could see if a laptop is being used at home for a period of time. I could always just set the policy for desktops.
5th March 2012, 02:36 PM #4
could you try it on a test vm with a test policy set for as short a period of time as you can then just turn vm off for a week os so see what happens?
as i suspect its one of those policies where ask 3 people and you will get 3 diff answers and its also liable to come back and bite you in the bum if you do roll it out
Last edited by sted; 5th March 2012 at 02:37 PM.
5th March 2012, 02:41 PM #5
Its funny you should say that. I did do that and i booted the machine forgetting i was testing
Originally Posted by sted
By shirzay in forum How do you do....it?
Last Post: 25th August 2009, 10:02 AM
By mrcrazy04 in forum Windows
Last Post: 15th March 2007, 05:54 PM
By pete in forum Hardware
Last Post: 1st March 2007, 11:21 PM
By OutToLunch in forum How do you do....it?
Last Post: 24th July 2006, 02:03 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)