From 6bf65f32102ba5813e9693155d5cd77c4c539bfc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 31 May 2018 09:01:57 -0700 Subject: [PATCH] added best practice back --- .../domain-member-maximum-machine-account-password-age.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index d7cba5795f..54bd39472d 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -32,8 +32,9 @@ For more information, see [Machine Account Password Process](https://blogs.techn ### Best practices -It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. +1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites. +2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. ### Location