deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
c19fa00cc3ec2d444be06aec695c70a841f15c40
windows-itpro-docs/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
hiromi-shindo a22827309f Update domain-member-maximum-machine-account-password-age.md 
The previous request modifies the value of MaximumPasswordAge, but docs still discuss value of 0.
2019-08-20 23:26:36 +09:00

4.6 KiB
Raw Blame History

title, description, ms.assetid, ms.reviewer, ms.author, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, manager, audience, ms.collection, ms.topic, ms.date
title description ms.assetid ms.reviewer ms.author ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author manager audience ms.collection ms.topic ms.date
Domain member Maximum machine account password age (Windows 10) Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 dansimp w10 deploy library security medium dansimp dansimp ITPro M365-security-compliance conceptual 06/27/2019

Domain member: Maximum machine account password age

Applies to

  • Windows 10

Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting.

Reference

The Domain member: Maximum machine account password age policy setting determines when a domain member submits a password change.

In Active Directorybased domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the Domain member: Disable machine account password changes policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in Domain member: Disable machine account password changes.

Important

Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.

For more information, see Machine Account Password Process.

Possible values

  • User-defined number of days between 1 and 999, inclusive
  • Not defined

Best practices

  1. We recommend that you set Domain member: Maximum machine account password age to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
  2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days.

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Default values

The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.

Server type or GPO Default value
Default Domain Policy Not defined
Default Domain Controller Policy Not defined
Stand-Alone Server Default Settings 30 days
DC Effective Default Settings 30 days
Member Server Effective Default Settings 30 days
Client Computer Effective Default Settings 30 days

Policy management

This section describes features and tools that are available to help you manage this policy.

Restart requirement

None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

By default, the domain members submit a password change every 30 days. If you increase this interval significantly so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.

Countermeasure

Configure the Domain member: Maximum machine account password age setting to 30 days.

Potential impact

None. This is the default configuration.

Related topics