Security Assessment: Change Domain Controller computer account old password
This recommendation lists all domain controller’s computer accounts with password last set over 45 days ago.
Organization risk
A Domain Controller (DC) is a server in an Active Directory (AD) environment that manages user authentication and authorization, enforces security policies, and stores the AD database. It handles logins, verifies permissions, and ensures secure access to network resources. Multiple DCs provide redundancy for high availability.
Domain Controllers with old passwords are at heightened risk of compromise and could be more easily taken over. Attackers can exploit outdated passwords, gaining prolonged access to critical resources and weakening network security. It could indicate a Domain controller that is no longer functioning in the domain.
Remediation steps
Verify Registry Values:
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange is set to 0 or is nonexistent.
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge is set to 30.
Reset Incorrect Values:
- Reset any incorrect values to their default settings.
- Check Group Policy Objects (GPOs) to ensure they do not override these settings.
If these values are correct, check if the NETLOGON service is started with sc.exe query netlogon.
Validate Password Synchronization by Running nltest /SC_VERIFY: (with DomainName being the domain NetBIOS name) can check the synchronization status and should display0 0x0 NERR_Success for both verifications.
Tip
For more information about commuter account’s password process check this blog post about Machine accounts password process.