Thursday, December 9, 2010

What will happen to laptops / computers that don’t sign into the corporate Active Directory domain for months?

Throughout the years of working with Microsoft Active Directory, I’ve been asked the following questions plenty of times:

“What will happen to laptops / computers that don’t sign into the corporate Active Directory domain for months?”

OR

“Why can’t I log into the domain after traveling out of country? It was working 2 months ago.”

The reason, as I always explained was that aside from the regular user accounts that end users are usually aware of, Active Directory also contains computer accounts for each domain controller, member server, desktop and laptop. These accounts are used by Active Directory authenticate the computers that are joined to the domain and the password automatically (and transparently to the user) changes every 30 days.

What this means is that if you have users in your domain that travels a lot to remote places without internet for more than 30 days, their computer password will most likely expire when they get back and would find that they are not able to log into the domain. While I haven’t been asked the following question quite as much as the previous ones, it does come up from time to time:

“Why does Active Directory do this?”

The short answer I usually give is that this is apart of the security design because if something such as this wasn’t used, how is Active Directory going to authenticate the domain joined computer and be able to validate that it is indeed what it claims to be?

The last question I get asked after communicating this information to clients is:

“Is there a way to change this?”

The short answer I always give is “Yes” with a “but” and this is because you can only set this at the global level for all computers and not for a specific computer. Changing this parameter meant you’re going to be more susceptible to exploits where, say, Terence takes a full backup of someone’s desktop, restores it to another desktop and voila, it’s a computer with a valid computer account on the domain.

In case anyone is wondering, the following are the steps to take to change the maximum computer password age:

Windows Server 2003 Domain Controller

Log onto a domain controller and open group policy management console:

image

Edit the Default Domain Policy:

image

Navigate to: Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options and select: Domain member: Maximum machine account password age:

image

This setting is where you can change the maximum machine (computer) account password age.

image

Windows Server 2008 Domain Controller

The only difference between a 2003 and a 2008 domain is the arrangement of the nodes to get to that setting:

Navigate to: Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Local Policies –> Security Options and select: Domain member: Maximum machine account password age:

image

What’s nice about a Windows 2008 domain controller is that there’s actually an Explain tab that reads:

Domain member: Maximum machine account password age

This security setting determines how often a domain member will attempt to change its computer account password.

Default: 30 days.

Important

This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.

image image

Hope this helps anyone out there that wants a better understanding of computer passwords in Active Directory.

2 comments:

Willie Sager said...

Very informative and well written post! Quite interesting and nice topic chosen for the post.

HP - 13.3" Notebook 2 GB Memory and 4 GB Solid State Drive

infopath signatures said...

I just stumbled upon your blog tonight! I'm so excited to use some of your great ideas!!!Thank you so much for sharing. I really appreciate it:)