Share via


Machine Account Password Process

?????. Directory Service ?? Manish Singh???. ?? ??? ??? machine account password process? ?? ?????. Active Directory?? machine account? ??? ????? ????? ????? ?? ?? ?? ??? ??? ??? ??? ?? ???? ?????.

??: ??? ?? AD? machine password account? ?? ???. (?? ?? Windows ????? ??? ?? ?? ???)?

??: ???? 30??? computer? ??? machine account password? ?????. Windows 2000 ?? Windows? ?? ??? ??? ?? ????. ? ?? ???? Active Directory? ?? ???? ???? ? ????.

Domain member: Maximum machine account password age

?? security policy? ?? ???? ???? ? ????.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

?? : ?? workstation? password? ???? ???? network? ??? ? ? ????

?? : Machine account password? Active Directory??? ?? ?? ????. ???Domain? password policy ???? ?????. ??? ??? machine account password? CLIENT(computer)? ??? ???? AD? ??? ???? ????. ???? ??? ??? disable??? delete ?? ???? ??? ???? computer? ???? ???? computer? machine account password? ??? ?? ?? ????? ? ?? ?????? ??????.

??? ?? computer? 3? ?? ??? ????? expire ?? ????. ??? ???? ????? ? password? 30? ?? ?? ???? ???? ?? ??? ???? ???. ????? ???? Netlogon service? ??? ??? ?????. ??? ??? machine? ?? ?? ????? ???? ?????.

Local?? ??? password? ???? ?? DC? secure channel? ????? ???? ???. ?? ?????? DC? ??? ? ? ??? local?? password? ???? ?? ???.

??? Netlogon parameter?? ??? ??? ??? ? ????:

ScavengeInterval (default 15 minutes),
MaximumPasswordAge (default 30 days)
DisablePasswordChange (default off).

DisablePasswordChange? ????? ???? computer account password? ???? ??? ??? ? ????.

Warning: ??? machine account password change? disable??? security risk? ?? ? ????. ???? secure channel? pass-through authentication? ???? ?????. ?? ???? password? ?? ???, domain controller? ??? pass-through authentication? ??? ???? ????.

?? ???? automatic machine account password change? ???? ?? ?? ???? ????.

KB 154501

Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = DisablePasswordChange REG_DWORD
Default = 0

Group policy setting:
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options

Domain member: Disable machine account Password changes

ScavengeInterval? ??? ?? workstation scavenger thread? ??? ? ?????. Workstation scavenger? ??? ?? machine password? ????? ?? ??? ???.

HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value: ScavengeInterval REG_DWORD 60 to 172800 Seconds (48 hours)
Default : 900 (15 minutes)

MaximumPasswordAge? ?? computer password? ????? ??? ?? ???.

Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = MaximumPasswordAge REG_DWORD
Default = 30
Range = 1 to 1,000,000 (in days)

Group policy setting:
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options

Domain member: Maximum machine account Password age

Windows NT?? ?? ??? 7??? Windows 2000 ??? ?? ??? 30????.

Trust password? ??? ??? ????. ??? ? NT 4 domain?? Trust? 7????. Windows 2000?? ? ????? ??? 30?? ?? ???.

??? ?? 2000? NT4 trust password? 30?? ?? ???.

2000? 2000? 30?

2000? 2003? 30?

2003? 2003? 30?

Netlogon service? Workstation service? ??? ??? scavenger thread? wake up ???. ?? password? MaximumPasswordAge?? ???? ???, scavenger thread? ?? sleep ??? ???? ?? password? ??? ????? ? wake up ??? ?? ??? ???? ???.

??? ??? scavenger thread? password? ????? ???? ???. ?? DC? ??? ? ??? ?? sleep ??? ?? ?? ScavengeInterval minutes ??? ?? ???? ???.

ScavengeInterval ??? Active Directory? group policy ???? ???? ??? ? ????.

Group policy setting:
Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval

??? ??? ?? ? ? ??? ??? ?? ??? ?????.

https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/55944.mspx?mfr=true

KB260575.

?? : ???? ??? password? ??? ??????

?? : ?? Windows ??? ???? ?? password? ??? ??? password? ???? machine account password history? ??? ????. ? ???? ?? authentication? ???? ?? password? ?? ??? ?? ???? ???, Windows? ??? password? ???? ???. ?? password ??? ?? ??? ?? ?? ???? ???? ??? ? ? ?? ?? ???? ???? ???.

??????? machine account? ????? ??? ???? ?? ?? ???? member? ??? domain controller? ???? ???. ?? ? ??? ???? ?? local? machine account password? ???? ???.

?? local? password? ??? ??? Active Directory? password? ?????. ?? Active Directory?? ??? ???? ??? ?? password? ?? ??? rollback?? ????.

Machine password? local copy? ?? ??? ?? ???:

HKLM\SECURITY\Policy\Secrets\$machine.ACC

?? password? ?? password? CurrVal & OldVal Keys ?? ???? ???.

Active Directory??? password? unicodepwd ? lmpwdHistory? ?????. ??? timestamp ? pwdlastset attribute? ?????. (??? ? ?? format?? ???? ??? ??? ????.)

· attribute? ?? decimal?? hex ??? convert???. (calc.exe ??)

· ?? ?? ??? ??? ????.(?? part? 8bit???)

· nltest /time: ???hex ??hex ? ?????.

???? AD?? computer object? ??? ??? ??? ?????.

KB260575? ??? ??? ???? case?:

?? ?? password change interval? ??? ?? System Restore? ???? password? ???? ? ??? ????? ?? password ??? ??? ?? ???? ?? ???. ??, ????? ??? password? ?? ??? ??? ???? ???.

?? ????? ????? ?????. Machine? network? ???? ???? ?? ???

?????? ??? ?? ??? ? ????.

Old password = null

Current password = A

New random password = B

AD? machine account:

unicodePWD = A

30?? ?? ?? Scavenger thread? ???? ??

Old password = A

Current password = B

60?? ?? ??? ??? ??? ?????. ??? ??? ??? password? C?? ?? ??? ????:

Old password = B

Current password = C

?? client? AD? ???? authenticate?? password? ???? ???. Error? ?? ?? ??? ??? machine? 90?? ?? ??? password? ?? reset ? ? ??? ???.

How to detect and remove inactive machine accounts
https://support.microsoft.com/default.aspx?scid=kb;EN-US;197478

Resetting computer accounts in Windows
https://support.microsoft.com/default.aspx?scid=kb;EN-US;216393

?? KB ???? ?????:

How to disable automatic machine account password changes
https://support.microsoft.com/default.aspx?scid=kb;EN-US;154501

Effects of machine account replication on a domain
https://support.microsoft.com/default.aspx?scid=kb;EN-US;175468

Domain member: Disable machine account password changes
https://technet.microsoft.com/en-us/library/cc785826.aspx

Domain member: Maximum machine account password age
https://technet.microsoft.com/en-us/library/cc781050.aspx

Threats and Countermeasures
https://technet.microsoft.com/hi-in/library/dd162275(en-us).aspx

Account Passwords and Policies
https://technet.microsoft.com/en-us/library/cc783860.aspx

????? Machine account password? ?????? ??? ???? AD? ??? ???? ?? ????. Netlogon scavenger thread? ??? ?? machine password? ???? ??? ??? group policy? ??? ??? ? ????.

Password? ??? ?? ???? ?? ???? ? ? AD? ??? ???? ???. ?? AD? ??? update? ? ?? ???? ?? password? ???rollback?? ????.