Questions on computer accounts

Question

Hello!

Would you please clarify a couple of questions regarding AD computer accounts:

1) This command -

Search-ADAccount -PasswordNeverExpires |Sort-Object ObjectClass| ft Name, ObjectClass

-shows there're computers with PasswordNeverExpires - I've never wished to have computer accounts with PasswordNeverExpires and even haven't found a way how to set it for a computer account in AD so

Q1: How can you set a PasswordNeverExpires for a computer account?

The theory:

"So if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time.
If the machine was down for a long time, that scavenger thread will not run and the password will not get out of sync in the local store and Active Directory.
If the machine was unable to communicate with a domain controller, the client doesn’t try to change its password. For example, if it was a laptop running at home with no VPN for 4 months, the laptop would never change its own machine password. "

Having read this I conclude that

1) if I have a computer that was either turned of or "running at home with no VPN for 4 months, the laptop would never change its own machine password*.",

2) "if the machine was unable to communicate with a domain controller, the client doesn’t try to change its password"

3) "When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it" and - given that a domain controller is availbale now nothing prevents the client to a) change its own computer password and b) replicate it to AD. After this (I mean after - for example -the first turining on a pc durening more than 30 day period) I would expect it (computer)to connect to AD as if there was no >30days period of inactivity and a domain user would have no issues logging on to his/her workstation.

In practice when a user tries to enter his/her domain credentials on a pc which was off for more than 30 day it would ALWAYS end in the authentication error ~Can't establish a secure channel with a DC".

Q2: Does the theory contradict the practice here or the error described above pertains to some other problem?

Thank you in advance,
Michael

Answer 1

Hi @Mikhail Firsov

You can think of the computer password the same as a user account password, its used to authentication the computer and allow it to read and write to the AD. Like a user account, the computer account also has a password policy which defines it's age, there are no settings for complexity as it uses a complex password by default. The computer account password age is controlled by the Domain Member: Maximum Machine account password age policy setting, setting to zero, the password will never expire:

The password is not changed separate at the workstation, its changed the same as a user account, when the computer authenticates to the AD, if the password is out of date, then the AD will trigger the workstation to change the password as part of the authentication request. If the workstation is switched on but is disconnected from the AD for longer than the password age, the password stored on the workstation is not changed, it's only changed when the workstation tries to authenticate to the AD.

While the ADUC doesn't include the simple option to change the UserAccountControl attribute like the user properties, it can be change via the Attribute Editor tab or with any AD/LDAP editor.

I would have to do some testing, as I'm not sure what impact setting the ADS_UF_DONT_EXPIRE_PASSWD option on the UserAccountControl attribute of the computer object has on the password change policy.

Computer object uses a slightly different password management policy, than that of user accounts, AD remembers the last two passwords that have been set for the computer account, and either of them can be used to authenticate. This is same policy that is used for the KBTTGT account.

Gary.

Answer 2

Hi GaryReinolds,

Thank you for the reply!

"If the workstation is switched on but is disconnected from the AD for longer than the password age, the password stored on the workstation is not changed, it's only changed when the workstation tries to authenticate to the AD" - and the result of this "it's only changed when the workstation tries to authenticate to the AD" should be - according to the theory - the updated and synchronized computer account's password and this computer (which was off when its computer account was due to change its password) should have no issues connecting to AD, but in practise I've never seen a user logging on to such computer without first resetting a computer account.

Answer 3

*"This isn't normal behaviour...." - mmm???

Test:

1) add a new pc to domain and turn it off
2) wait 31 day
3) turn pc on and try to use a domain account to log on

= 100 % authentication error (and of course the computer account still exists in AD).

Answer 4

Oh, I got it: here's the CORRECT answer:

"If the computer's account has expired, it will no longer be able to authenticate with the domain. Computers that cannot authenticate with the domain must be removed from the domain and rejoined to it."

...and here's the original article published in 2009 and REpublished in 2019:

"Question: If a workstation does not change its password, will it not be allowed to log onto the network?

Answer: Machine account passwords as such do not expire in Active Directory. ..."

...and that's why I asked this question: "Machine account passwords as such do not expire in Active Directory" - this assertion is wrong and the article you posted proves it. Thank you for the help!

Regards,
Michael