Skip navigation

Q: Can the password of a Windows machine’s domain account expire just like a normal user account’s password expires (as defined in the domain password policy settings)?

A: Machine account passwords don't expire the way user account passwords do because they're exempted from the domain-level password policy and fine-grain password policies (the latter are only available in a Windows Server 2008 R2 Active Directory environment). Even if your machine has been offline for several months, it will continue to work, no matter how long it has been since its machine account password was initiated and changed.

This doesn't mean that a machine’s password never changes—they're subject to another password quality control mechanism. Machine password changes are initiated from the client machine and are controlled by the local MaximumPasswordAge setting, which defaults to 30 days. When a Windows machine boots, it will notice that its password is older than 30 days and the netlogon service will initiate a password change.

If you ever encounter machine account password problems, they're typically due to the disabling or deletion of the machine account or an attempt to add a machine with the same name to the domain. In these cases, you can use the netdom.exe command line utility with the resetpwd switch to reset the machine account’s password.

The netlogon registry parameters that can change the behavior of the machine password change process are MaximumPasswordAge, DisablePasswordChange, and ScavengeInterval. All three keys are located in the registry container HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters.

MaximumPasswordAge determines when the password needs to be changed and defaults to 30 days. MaximumPasswordAge can be set to a value ranging from 1 to 1,000,000. In a domain, this value can be centrally controlled using the Domain member: Maximum machine account password age Group Policy Object (GPO) setting located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\GPO container.

The DisablePasswordChange key can prevent a client computer from changing its machine account password. The DisablePasswordChange key defaults to off and it's a security best practice to leave this setting untouched.

The ScavengeInterval key controls how often the netlogon scavenger thread runs. This thread is responsible for changing the machine password. ScavengeInterval defaults to 900 (15 minutes) and can be set to a value ranging from 60 to 172800 (48 hours). ScavengeInterval can also be controlled using the GPO setting Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish