Can the Maximum machine account password age be set differently for one OU on a domain controller

Rich Kiroy

12/29/23, 3:38 PM

In my organization, when we provision a computer one of the steps includes joining our domain. Typically we provision one pc at a time as the need comes up. I would like to get out of this habit and start provisioning groups of PC's as they are purchased once or twice a year. The problem with this is that the machines will sit for months without being used and ultimately loose the domain trust relationship and hostname.

My question is this, can we create a container on our domain controller that would not have any defined Machine password change requirements. Then when we set the PC up for a user and move it to what I will call a working container, the device would pick up the machine account password policy that is set for all the other computers in our environment?

335

1 + 1

active-directory

password-management

password-policy

Semicolon

12/29/23, 9:23 PM

1. It is insecure to have inactive, enabled accounts living in your domain; 2. Just set the account's password to never expire.

Score:0

Server

Swisstone

12/30/23, 11:04 AM

Yes, technically, it's possible to create an Organizational Unit and target the following policy on it, to prevent computers from changing their password:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options => Domain member: Disable machine account password changes

Read the documentation to learn more about this policy: Domain member: Disable machine account password changes

To mitigate the security risk, you can disable the computer account once the computer is powered off, then you can enable it again and move it to another OU when you want to use the computer.

However,
I don't think you need to disable the machine account password change... The policy is not enforced by a domain controller, that's a client-side setting: the client device will periodically check if it needs to change its password or not.

I have seen occurrences where you just need to reboot the machine once the password changed, so Windows will get back on the rails.

The next time you need to use a computer after months of inactivity, try the following: Boot the device, ensure it's connected to the network, don't try to log in to the device just let it sit for a few minutes, then reboot the device, and try to log on.

Learn more about machine account password change here and how it should not be an issue: Machine Account Password Process

+ 2

Greg Askew

12/30/23, 11:12 AM

Correct, the password is managed by the client, and machine account password age is not enforced by domain controllers. Clients also do not change the password unless online. The trust relationship issue is not related. I've had notebooks offline for over a year and it still works. A lot of places cleanup/disable old computer accounts though.

Greg Askew

12/30/23, 11:17 AM

Another scenario: Create computer with name A. Shut down computer for extended period. Create another computer with the same name. Turn A back on.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can the Maximum machine account password age be set differently for one OU on a domain controller

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.