When you join a computer to a domain, a computer account is created, and a password is shared between the computer and the domain. By default, this password is changed every 30 days. The secure channel’s password is stored together with the computer account on the domain controllers
Machine account passwords don’t expire the way user account passwords do because they’re exempted from the domain-level password policy and fine-grain password policies. Even if your machine has been offline for several months, it will continue to work, no matter how long it has been since its machine account password was initiated and changed. When you join a computer to a domain, a computer account is created, and a password is shared between the computer and the domain. The secure channel’s password is stored together with the computer account on the domain controllers.
This doesn’t mean that a machine’s password never changes—they’re subject to another password quality control mechanism. Machine password changes are initiated from the client machine and are controlled by the local MaximumPasswordAge setting, which defaults to 30 days. When a Windows machine boots, it will notice that its password is older than 30 days and the netlogon service will initiate a password change.
If you ever encounter machine account password problems, they’re typically due to the disabling or deletion of the machine account or an attempt to add a machine with the same name to the domain. In these cases, you can use the netdom.exe command line utility with the resetpwd switch to reset the machine account’s password.
The netlogon registry parameters that can change the behavior of the machine password change process are MaximumPasswordAge, DisablePasswordChange, and ScavengeInterval. All three keys are located in the registry container HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters.
MaximumPasswordAge determines when the password needs to be changed and defaults to 30 days. MaximumPasswordAge can be set to a value ranging from 1 to 1,000,000. In a domain, this value can be centrally controlled using the Domain member: Maximum machine account password age Group Policy Object (GPO) setting located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\GPO container.
The DisablePasswordChange key can prevent a client computer from changing its machine account password. The DisablePasswordChange key defaults to off and it’s a security best practice to leave this setting untouched.
The ScavengeInterval key controls how often the netlogon scavenger thread runs. This thread is responsible for changing the machine password. ScavengeInterval defaults to 900 (15 minutes) and can be set to a value ranging from 60 to 172800 (48 hours). ScavengeInterval can also be controlled using the GPO setting Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval.
- It is often advisable to set policy setting: Domain member: Maximum machine account password age to about 30 days.
- Some organizations prebuild computers and then store them for later use or ship them to remote locations. If the computer’s account has expired, it will no longer be able to authenticate with the domain. Computers that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.