How can I determine which computer accounts haven't had their passwords changed?

A. By default computers have a password (which originally is the name of the computer account!) that's changed every 30 days. If a computer's password isn't changed (e.g., its been offline), then 60 days after its last password change the computer account won't be able to authenticate to the domain until its password is reset.

You can check for computers that haven't changed their password for more than 60 days (and could therefore be considered "stale") using the dsquery command on Windows Server 2003 and later systems. Here's a sample command execution and output:

C:\dsquery computer -stalepwd 60


This output shows I have five machines that haven't changed their passwords for more than 60 days and are therefore unable to connect to the domain.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.