Security ID: The SID of the account that made an attempt to change a computer account. Show Account Name: The name of the account that made an attempt to change a computer account. Account Domain: The Subject's domain name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name. Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4624). SAM Account Name: The pre-Windows 2000 logon name. Display Name: Usually a combination of the user's first name, middle initial, and last name. This attribute is optional for computer objects and is typically not preset. User Principal Name: The internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email address.This attribute is optional for computer objects and is typically not preset. Home Directory: The user's home directory. This attribute is optional for computer objects and is typically not preset. Home Drive: The drive letter to which to map the UNC path specified by the account's homeDirectory attribute. This attribute is optional for computer objects and is typically not preset. Script Path: The path of the account’s logon script. This attribute is optional for computer objects and is typically not preset. Profile Path: A path to the account's profile. This attribute is optional for computer objects and is typically not preset. User Workstations:The list of NetBIOS or DNS names of the computers from which the user can log on. Each computer name is separated by a comma. This attribute is optional for computer objects and is typically not preset. Password Last Set: The last time the account’s password was modified. For example, after manually resetting a computer account's password or automatically resetting it (for computer objects, passwords are reset every 30 days by default). Account Expires: The date the account will expire. This attribute is optional for computer objects and is typically not preset. Primary Group ID: The Relative Identifier (RID) of a computer object's primary group. AllowedToDelegateTo: The list of Service Principal Names (SPNs) to which this account can present delegated credentials. Old UAC Value: This specifies the flags that control password, lockout, disable/enable, script, etc. for the computer account. It contains the previous value of the computer object's userAccountControl attribute. New UAC Value: If the value of userAccountControl attribute of the computer object was changed, you will see the new value here. User Account Control: The list of changes in the userAccountControl attribute. User Parameters: If you change any setting using Active Directory Users and Computers management console in the Dial-in tab of a user account's properties, you will see here. SID History: This contains the previous SIDs used for the object if the object was moved from another domain. Logon Hours:The hours during which the account is allowed to log on to the domain. This attribute is optional for computer objects and is typically not preset. DNS Host Name: The name of the computer account as registered in DNS. Service Principal Names:The list of SPNs registered for the computer account. If the value of the computer object's servicePrincipalName attribute was changed, you will see the new value here. Privileges: The list of user privileges used during the operation. Many of us have questions about how often does the machine account password change in AD on various Windows operating systems So, by default, the machine account password change is initiated by the computer every 30 days. Since Windows Server 2000, all Windows versions have the same value. Admins are allowed to modify his behaviour using the following GPO setting in AD. Domain member: Maximum machine account password age Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options  What happens if a workstation does not change its password, will it not be allowed to log onto the network? Machine account password does not expire in Active Directory. They are exempted from the domain’s password policy. It is important to remember that machine account password changes are driven by the client machines, and not the AD. As long as no one has disabled or deleted the computer account, nor tried to add a computer with the same name to the domain, the computer will continue to work no matter how long it has been since its machine account password was initiated and changed. So, if a computer is turned off for three months nothing expires. When the computer starts up, it will notice that its password is older than 30 days and will initiate action to change it. The Netlogon service on the client computer is responsible for doing this. This is only applicable if the machine is turned off for such a long time. Before we set the new password locally, we ensure we have a valid secure channel to the DC. If the client was never able to connect to the DC (where never is anything prior the time of the attempt – time to refresh the secure channel), then we will not change the password locally. The relevant Netlogon parameters that come into play and we can think about changing here are: ScavengeInterval (default 15 minutes), DisablePasswordChange would prevent the client computer from changing its computer account password. Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Group policy setting: Warning: If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller. ScavengeInterval controls how often the workstation scavenger thread runs – the workstation scavenger is responsible for changing the machine password if necessary: HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters MaximumPasswordAge determines when the computer password needs to be changed. Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Group policy setting: Domain member: Maximum machine account Password age To clear things up, it is 7 days on Windows NT by default, and 30 days on Windows 2000 and up. The trust password follows the same setting. So, Trust between two NT 4 domains is 7 days. Trusts between Windows 2000 and up and anything else is 30 days. So, what this means is if:
After the Netlogon service starts, the Workstation service scavenger thread wakes up. If the password is not older than MaximumPasswordAge, the scavenger thread goes back to sleep and sets itself to wake up when the password will reach that age. Otherwise, the scavenger thread will attempt to change the password. If it cannot talk to a DC, it will go back to sleep and try again in ScavengeInterval minutes. The ScavengeInterval setting can be modified to a custom value using the group policy setting in Active Directory. Group policy setting: How do computers use passwords? Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages. When a client determines that the machine account password needs to be changed, it would try to contact a domain controller for the domain of which it is a member of to change the password on the domain controller. If this operation succeeds, then it would update machine account password locally. The client first changes the password locally and then attempts to update it in Active Directory. If the domain controller is configured with security policy “Domain Controller: Refuse machine account password changes” (i.e. RefusePasswordChange), then the client rolls back locally to the previous password. If the password change fails, however, the client keeps the new password locally and keeps trying to set it on the scavenge interval until it succeeds. The local copy of the machine password is stored under: HKLM\SECURITY\Policy\Secrets\$machine.ACC We store the current password and the previous password under CurrVal & OldVal Keys respectively. In Active Directory, we store the password in unicodepwd and lmpwdHistory. We also store the timestamp in the pwdlastset attribute (the method to convert it into readable format is:
The resultant value is the date and time the password was set on this computer object in AD. If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed. Now consider the scenario, when a machine is not connected to the network for a long period. Supposing on the client:
And on the machine account in AD:
After 30 days when the Scavenger thread runs, the value would be:
At 60th day the same process happens again. So now the newly generated password is C and the values are:
Now when the client connects to Active Directory, it will try the current password to authenticate. When that fails with error. Otherwise machine should be able to reset its password once it boots even after say 90 days. How often do computer account passwords change?Answer: The machine account password change is initiated by the computer every 30 days by default. Since Windows 2000, all versions of Windows have the same value. This behavior can be modified to a custom value using the following group policy setting in Active Directory.
Does Active Directory manage passwords?Active Directory lets you enforce set standards for passwords used by team members, requiring them to follow certain policies when they create a password. Unfortunately, gaining control over password policies isn't always easy for IT security professionals and administrators.
How does Active Directory track password changes and resets?Open “Event Viewer” ➔ “Windows Logs” ➔ “Security” logs. Search for event ID 4724 in “Security” logs. This ID identifies a user account whose password is reset. You can scroll down to view the details of the user account whose password was reset.
What does Active Directory reset computer account do?Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain. Note This will prevent an established computer from connecting to the domain and should only be used for a computer that has just been rebuilt.
|
