Domain member: Maximum machine account password age
Applies to
- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting.
Reference
The Domain member: Maximum machine account password age policy setting determines when a domain member submits a password change.
In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the Domain member: Disable machine account password changes policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in Domain member: Disable machine account password changes.
Important
Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see Machine Account Password Process.
Possible values
- User-defined number of days between 1 and 999, inclusive
- Not defined
Best practices
We recommend that you set Domain member: Maximum machine account password age to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
| Server type or GPO | Default value |
|---|---|
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | 30 days |
| DC Effective Default Settings | 30 days |
| Member Server Effective Default Settings | 30 days |
| Client Computer Effective Default Settings | 30 days |
Policy management
This section describes features and tools that are available to help you manage this policy.
Restart requirement
None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
By default, the domain members submit a password change every 30 days. If you increase this interval so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
Countermeasure
Configure the Domain member: Maximum machine account password age setting to 30 days.
Potential impact
None. This non-impact state is the default configuration.