Share via

Why is "Bad Password Count" in AD rising for a computer account when the computer undergo the monthly password change ?

Anonymous
2024-07-25T11:06:11+00:00

Hi

I see on a domain with several domain controllers that some computer accounts temporarily have "Bad Password Count" of 50-150 (viewed on the AD with the PDC role) and it seems to happen on the monthly computer password change. The situation is remediated within a day - often within an hour.

What is the root cause for this ?

How can it be remediated ?

Is there some good information on - how AD calculates these "login" fields on the AD used - how soon the password events are propagated to other AD's and the "PDC"-AD ?

I suspect a scenario like:

  1. Computer do successful monthly change against normal AD.
  2. For some reason on next computer logon that AD is not available and because the change is not yet replicated the other AD used considers it a bad login.
  3. The computer is redirected to try against the "PDC" - still fails and "Bad Password Count" is incremented.
  4. After X time a successful replication happens from the original AD (with new password) to "PDC" and "Bad Password Count" is reset to 0 and will stay there as PDC now considers password good and other AD's not synced will just redirect the computer to retry on PDC.

Thanks

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-07-25T13:07:10+00:00

    Hello Claus Bruun1,

    Thank you for posting in Microsoft Community forum.

    An increasing "Bad Password Count" in Active Directory (AD) for a computer account during the monthly password change might indicate a few potential issues:

    1.Password Synchronization Issues: If the computer's password isn't being properly synchronized with the domain controller, multiple authentication attempts with the old password could result in bad password counts.

    2.Replication Delays: There might be delays in replication between domain controllers. If a computer updates its password, but other domain controllers haven't yet received this update, they will consider the old password as incorrect.

    3.Cached Credentials: The computer or other services might be attempting to use cached credentials, which haven't been updated with the new password yet.

    4.Service Accounts or Scheduled Tasks: Any services, scheduled tasks, or applications running on the computer that rely on the computer account's password might be trying to authenticate with the old password.

    To diagnose and resolve the issue, you could:

    Ensure that the computer's password change process is completing successfully.

    Check the synchronization and replication status between domain controllers.

    Investigate any services or scheduled tasks that might be using the old password.

    Review the event logs on both the computer and domain controllers for more detailed error messages.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2024-07-25T23:38:54+00:00

    Thanks for the answer - I will try to look into it.

    However the computers having issues are ordinary windows 10/11 machines used for office etc. without any special scheduled tasks or services. So I would assume that these plain joined workstation computers should not suffer from 3. and 4.

    How is the process expected to work - the computer changing the password at it's logon AD server - will that AD immediately sync that information to at least the AD having the PDC role or will there always be a replication delay where computer may see other AD DC's, that have not been updated.

    Where do I find the detailed documentation describing this process ?

    Thanks

    Claus

    0 comments
  3. Anonymous
    2024-07-26T08:15:42+00:00

    Hello

    Good day!

    You can read the link below.

    Here is part information from the article.

    Machine account passwords as such do not expire in Active Directory. They are exempted from the domain's password policy. It is important to remember that machine account password changes are driven by the CLIENT (computer), and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, (or some other destructive action), the computer will continue to work no matter how long it has been since its machine account password was initiated and changed.

    After Netlogon service starts the Workstation service scavenger thread wakes up. If the password is not older than MaximumPasswordAge , the scavenger thread goes back to sleep and sets itself to wake up when the password will reach that age. Otherwise, the scavenger thread will attempt to change the password. If it cannot talk to a DC, it will go back to sleep and try again in ScavengeInterval minutes.

    Machine Account Password Process - Microsoft Community Hub

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  4. Anonymous
    2024-07-31T11:26:10+00:00

    Going back to your 4 suggestions in first reply

    "1.Password Synchronization Issues: If the computer's password isn't being properly synchronized with the domain controller, multiple authentication attempts with the old password could result in bad password counts."

    If the computer fails to update the domain controller properly during the password change, bad password will of course occur, but is this happens the computer will be locked out forever until trust is manually restored. In my case the machines seems to work and after some time 10min-10h the bad password count goes back to 0 and hence I out rule this suggestion.

    "3.Cached Credentials: The computer or other services might be attempting to use cached credentials, which haven't been updated with the new password yet."

    Can you elaborate on this ? I would expect that cached credentials were updated/invalidated as part of the password change and hence the computer should immediately pick up and cache the new password.

    4.Service Accounts or Scheduled Tasks: Any services, scheduled tasks, or applications running on the computer that rely on the computer account's password might be trying to authenticate with the old password.

    Again, as all these are running as "network service" or "local system", I assume that windows will automatically pick up the newly established password when the services need them ?!

    And that leaves us with

    "2.Replication Delays: There might be delays in replication between domain controllers. If a computer updates its password, but other domain controllers haven't yet received this update, they will consider the old password as incorrect."

    Would you consider it "normal behavior" that bad passwords occur and is reported in AD as a consequence of machines changing passwords in an environment of multiple sites and many DC's ?

    How long should I expect for the replication to get things back to normal when remote sites with decent WAN-links are in place ?

    Lastly, I'm not sure I understand the role of the "Previous computer password" stored on the machine.

    When is that used ?

    Obviously it is not used in my scenario as the previous password would still authenticate the computer to DC's not yet replicated successfully ???

    Thanks

    0 comments
  5. Anonymous
    2024-08-01T08:24:19+00:00

    Hello

    Good day!

    "3.Cached Credentials: The computer or other services might be attempting to use cached credentials, which haven't been updated with the new password yet."

    Can you elaborate on this ? I would expect that cached credentials were updated/invalidated as part of the password change and hence the computer should immediately pick up and cache the new password.

    If it remembers the old password, maybe we need to update to new password from old password manually.

    4.Service Accounts or Scheduled Tasks: Any services, scheduled tasks, or applications running on the computer that rely on the computer account's password might be trying to authenticate with the old password.

    Again, as all these are running as "network service" or "local system", I assume that windows will automatically pick up the newly established password when the services need them?

    If it remembers the old password, maybe we need to update to new password from old password manually.

    How long should I expect for the replication to get things back to normal when remote sites with decent WAN-links are in place?

    A: By default, it is 180 minutes between sites.

    Can you see event ID 4771 or event ID 4776 on any Domain Controller about this Machine Account during "Bad Password Count" of 50-150?

    Can you see event ID 4625 on domain computer about this Machine Account during "Bad Password Count" of 50-150?

    Best Regards,
    Daisy Zhou

    0 comments