Export (0) Print
Expand All
Expand Minimize

Domain member: Maximum machine account password age

Published: November 15, 2012

Updated: November 15, 2012

Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP

This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.

The Domain member: Maximum machine account password age policy setting determines the maximum allowable age for a computer account password.

In Active Directory–based domains, each computer has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to 0 so that the computers no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the computer accounts.

  • User-defined number of days between 0 and 999

  • Not defined.

  1. It is often advisable to set Domain member: Maximum machine account password age to about 30 days.

  2. Some organizations prebuild computers and then store them for later use or ship them to remote locations. If the computer's account has expired, it will no longer be able to authenticate with the domain. Computers that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

 

Server type or GPO Default value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

30 days

DC Effective Default Settings

30 days

Member Server Effective Default Settings

30 days

Client Computer Effective Default Settings

30 days

There are no differences in this policy between operating systems beginning with Windows Server 2003. This setting also applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on Windows 2000 computers.

This section describes features and tools that are available to help you manage this policy.

None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

In Active Directory–based domains, each computer has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.

Configure the Domain member: Maximum machine account password age setting to 30 days.

None. This is the default configuration.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft