Sep 03

Machine Account (AD Computer Object) Password Updates

There seems to be quite a bit of confusion when it comes to domain-joined computers and how/when they update their AD computer object (machine account) passwords.

Here are a few key points on this process:

  • The default domain policy setting configures domain-joined Windows 2000 (& up) computers to update their passwords every 30 days (default).
  • Computer password update policy is configured in the Default Domain Policy setting “Domain member: Maximum machine account password age” in “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options”.  If the setting is “not defined”, the default of 30 days is set. The policy can be set to never, but this is not recommended.
  • Every computer joined to an AD domain has an associated computer account in AD and that account (object) has an associated password.
  • The computer password policy is more of a “guideline” than a rule – the computer updates the password when it thinks it needs to, but the domain doesn’t block computer accounts with passwords older than the policy setting.
  • Computer accounts (and associated passwords) don’t expire like user accounts and computer password updates are not forwarded to the PDC after the change is made on a DC (again, unlike with user account password changes).
  • AD Trust passwords follow this computer password policy setting.
  • The computer’s Netlogon service handles the machine account password updates, not Active Directory. When the computer boots up and the Netlogon service starts, it checks to see when the password was last set and when policy states it should be changed. The process sleeps until the computer is rebooted or until the password change date. At this point, the Netlogon process (Workstation Scavenger Thread) changes the computer’s AD account policy. If it can’t, the workstation scavenger thread sleeps for 15 minutes (by default – changed by modifying ScavengeInterval) and checks to see if a password update if required.
  • The computer account’s password is used to establish a secure session with an AD Domain Controller which is used for user authentication (as well as LocalSystem and NetworkService credentials).
  • The computer stores the machine account password in the registry location: HKLM\SECURITY\Policy\Secrets\$machine.ACC (encrypted secrets storage section of the registry).
  • The computer (and AD) stores the current password and the previous one (CurrVal and OldVal keys respectively, in the registry location above).
  • The password is stored in the computer account object in the unicodepwd (current password) and lmpwdHistory (previous password) attributes. The timestamp for this update is stored in the pwdlastset attribute in integer8 format.
  • The computer checks for a valid secure channel to a DC, changes the password locally (in the registry), and then sends the password update to a Domain Controller. If the DC refuses the password change, the computer’s local password change is reverted.
  • If the computer is turned off for an extended period of time (weeks, months, etc) and is not turned on until the password is older than the computer password policy setting, the computer updates its password normally without issue (assuming there are no other extenuating circumstances with network connections to an available DC).
  • Since computer password updates occur over secure channel, if the computer has an existing secure channel session with a RODC (the RODC has the existing computer’s password in its AD database), the RODC forwards the change request to a writable DC. The RODC then attempts to replicate the password using ReplicateSingleObject (RSO).   If the computer’s password is not cached on the RODC (no secure session), the password change request follows the existing secure session the computer has with a writable DC.
  • The computer account has to have the password cached on the local RODC for the password change to be successful. Once the RODC updates its local database with the new computer account password, it replicates the updated password to a writable DC. If the password is not cached on the RODC (or is not allowed to be cached), the request is forwarded to the writable DC nearby (2008 or newer).
  • Managed Service Accounts introduced with Windows Server 2008 R2 are treated as computer accounts and update with the same frequency.
  • In a VDI environment, it may be necessary to configure the computer to not automatically update the computer password in AD (since the VDI infrastructure will manage these passwords). See Microsoft KB 327825 below for information.

NOTE: There will be an issue if the computer object is restored to a backup > 60 days since the computer will not have the older password saved locally (only the current and last password are kept).

Resetting (changing) a computer account password:

With Windows 2000 or Windows XP, you can also reset the machine account from within the graphical user interface (GUI). In the Active Directory Users and Computers MMC (DSA), you can right-click the computer object in the Computers or appropriate container and then click Reset Account. This resets the machine account. Resetting the password for domain controllers using this method is not allowed. Resetting a computer account breaks that computer’s connection to the domain and requires it to rejoin the domain.

When using the computer password last set attribute to identify inactive computers, I highly recommend you filter on the OS version (target workstations or servers, not both at the same time). Additionally, filter on the primary group ID to ensure that Domain Controllers are never affected – using PrimaryGroupID = 515 will guarantee a DC will never be selected.

Interesting Note: While you can’t disable a Domain Controller’s computer account through the GUI, specifically Active Directory Users & Computers, it is possible to disable a DC programatically, i.e. via PowerShell, so be careful.

Example PowerShell code to find inactive computers (workstations) in the domain:

Import-Module activedirectory
[int]$ComputerPasswordAgeDays = 90
IF ((test-path “c:\temp”) -eq $False) { md “c:\temp” }
$ExportFile = “c:\temp\InactiveWorkstations.csv”
$ComputerStaleDate = (Get-Date).AddDays(-$ComputerPasswordAgeDays)
$InactiveWorkstations = Get-ADComputer -filter { (passwordLastSet -le $ComputerStaleDate) -and (OperatingSystem -notlike “*Server*”) -and (OperatingSystem -like “*Windows*”) } -properties Name, DistinguishedName, OperatingSystem,OperatingSystemServicePack, passwordLastSet,LastLogonDate,Description
$InactiveWorkstations | export-csv $ExportFile

I recommend also combining this with the last time the Windows computer rebooted by checking LastLogonDate (AD Attribute LastLogonTimestamp).






Trimarc helps companies and organizations improve their security to better protect against and detect attacks.
Visit TrimarcSecurity.com for more information.

(Visited 14,299 times, 12 visits today)