다음을 통해 공유

Machine Account Password Process

?????. Directory Service ?? Manish Singh???. ?? ??? ??? machine account password process? ?? ?????. Active Directory?? machine account? ??? ????? ????? ????? ?? ?? ?? ??? ??? ??? ??? ?? ???? ?????.

??: ??? ?? AD? machine password account? ?? ???. (?? ?? Windows ????? ??? ?? ?? ???)?

??: ???? 30??? computer? ??? machine account password? ?????. Windows 2000 ?? Windows? ?? ??? ??? ?? ????. ? ?? ???? Active Directory? ?? ???? ???? ? ????.

Domain member: Maximum machine account password age

?? security policy? ?? ???? ???? ? ????.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

?? : ?? workstation? password? ???? ???? network? ??? ? ? ????

?? : Machine account password? Active Directory??? ?? ?? ????. ???Domain? password policy ???? ?????. ??? ??? machine account password? CLIENT(computer)? ??? ???? AD? ??? ???? ????. ???? ??? ??? disable??? delete ?? ???? ??? ???? computer? ???? ???? computer? machine account password? ??? ?? ?? ????? ? ?? ?????? ??????.

??? ?? computer? 3? ?? ??? ????? expire ?? ????. ??? ???? ????? ? password? 30? ?? ?? ???? ???? ?? ??? ???? ???. ????? ???? Netlogon service? ??? ??? ?????. ??? ??? machine? ?? ?? ????? ???? ?????.

Local?? ??? password? ???? ?? DC? secure channel? ????? ???? ???. ?? ?????? DC? ??? ? ? ??? local?? password? ???? ?? ???.

??? Netlogon parameter?? ??? ??? ??? ? ????:

ScavengeInterval (default 15 minutes),
MaximumPasswordAge (default 30 days)
DisablePasswordChange (default off).

DisablePasswordChange? ????? ???? computer account password? ???? ??? ??? ? ????.

Warning: ??? machine account password change? disable??? security risk? ?? ? ????. ???? secure channel? pass-through authentication? ???? ?????. ?? ???? password? ?? ???, domain controller? ??? pass-through authentication? ??? ???? ????.

?? ???? automatic machine account password change? ???? ?? ?? ???? ????.

KB 154501

Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = DisablePasswordChange REG_DWORD
Default = 0

Group policy setting:
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options

Domain member: Disable machine account Password changes

ScavengeInterval? ??? ?? workstation scavenger thread? ??? ? ?????. Workstation scavenger? ??? ?? machine password? ????? ?? ??? ???.

Value: ScavengeInterval REG_DWORD 60 to 172800 Seconds (48 hours)
Default : 900 (15 minutes)

MaximumPasswordAge? ?? computer password? ????? ??? ?? ???.

Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = MaximumPasswordAge REG_DWORD
Default = 30
Range = 1 to 1,000,000 (in days)

Group policy setting:
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options

Domain member: Maximum machine account Password age

Windows NT?? ?? ??? 7??? Windows 2000 ??? ?? ??? 30????.

Trust password? ??? ??? ????. ??? ? NT 4 domain?? Trust? 7????. Windows 2000?? ? ????? ??? 30?? ?? ???.

??? ?? 2000? NT4 trust password? 30?? ?? ???.

2000? 2000? 30?

2000? 2003? 30?

2003? 2003? 30?

Netlogon service? Workstation service? ??? ??? scavenger thread? wake up ???. ?? password? MaximumPasswordAge?? ???? ???, scavenger thread? ?? sleep ??? ???? ?? password? ??? ????? ? wake up ??? ?? ??? ???? ???.

??? ??? scavenger thread? password? ????? ???? ???. ?? DC? ??? ? ??? ?? sleep ??? ?? ?? ScavengeInterval minutes ??? ?? ???? ???.

ScavengeInterval ??? Active Directory? group policy ???? ???? ??? ? ????.

Group policy setting:
Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval

??? ??? ?? ? ? ??? ??? ?? ??? ?????.



?? : ???? ??? password? ??? ??????

?? : ?? Windows ??? ???? ?? password? ??? ??? password? ???? machine account password history? ??? ????. ? ???? ?? authentication? ???? ?? password? ?? ??? ?? ???? ???, Windows? ??? password? ???? ???. ?? password ??? ?? ??? ?? ?? ???? ???? ??? ? ? ?? ?? ???? ???? ???.

??????? machine account? ????? ??? ???? ?? ?? ???? member? ??? domain controller? ???? ???. ?? ? ??? ???? ?? local? machine account password? ???? ???.

?? local? password? ??? ??? Active Directory? password? ?????. ?? Active Directory?? ??? ???? ??? ?? password? ?? ??? rollback?? ????.

Machine password? local copy? ?? ??? ?? ???:


?? password? ?? password? CurrVal & OldVal Keys ?? ???? ???.

Active Directory??? password? unicodepwd ? lmpwdHistory? ?????. ??? timestamp ? pwdlastset attribute? ?????. (??? ? ?? format?? ???? ??? ??? ????.)

· attribute? ?? decimal?? hex ??? convert???. (calc.exe ??)

· ?? ?? ??? ??? ????.(?? part? 8bit???)

· nltest /time: ???hex ??hex ? ?????.

???? AD?? computer object? ??? ??? ??? ?????.

KB260575? ??? ??? ???? case?:

?? ?? password change interval? ??? ?? System Restore? ???? password? ???? ? ??? ????? ?? password ??? ??? ?? ???? ?? ???. ??, ????? ??? password? ?? ??? ??? ???? ???.

?? ????? ????? ?????. Machine? network? ???? ???? ?? ???

?????? ??? ?? ??? ? ????.

Old password = null

Current password = A

New random password = B

AD? machine account:

unicodePWD = A

30?? ?? ?? Scavenger thread? ???? ??

Old password = A

Current password = B

60?? ?? ??? ??? ??? ?????. ??? ??? ??? password? C?? ?? ??? ????:

Old password = B

Current password = C

?? client? AD? ???? authenticate?? password? ???? ???. Error? ?? ?? ??? ??? machine? 90?? ?? ??? password? ?? reset ? ? ??? ???.

How to detect and remove inactive machine accounts

Resetting computer accounts in Windows

?? KB ???? ?????:

How to disable automatic machine account password changes

Effects of machine account replication on a domain

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

Threats and Countermeasures

Account Passwords and Policies

????? Machine account password? ?????? ??? ???? AD? ??? ???? ?? ????. Netlogon scavenger thread? ??? ?? machine password? ???? ??? ??? group policy? ??? ??? ? ????.

Password? ??? ?? ???? ?? ???? ? ? AD? ??? ???? ???. ?? AD? ??? update? ? ?? ???? ?? password? ???rollback?? ????.