AD pass interval duration set to long period implication

johncasper
New Contributor

Just a thought about this and wonder what other experiences have been with this.

We have been using the default 14 days for sometime and discovered it doesn't work well with some devices going off-campus and for long period of time. So, I could extend it to 90 or even 180 days which could work.

I wonder if anyone has had similar situation and what kind of implication of extending it to a longer period to AD, client , etc?

5 REPLIES 5

triding
New Contributor III

Set it to zero, works perfectly. We have had no problems since we made this simple change over two years ago.

dsconfigad -passinterval 0

davidacland
Honored Contributor II

We often set it to 0 for devices that are off the network for extended periods of time.

I've known a few AD admins that use the password change functionality to detect and clear out stale computer records, so you could lose that ability, but other than that it's a positive change.

johncasper
New Contributor

Thanks heaps for the comments and looking from a broader perspective.

Setting pass interval to 0 seems like most likely solution but like @davidacland said, we may lose the ability to clear out stale computers. I would actually like that manageability of detecting and even manage computers that have not been on campus for sometime...

HollyShort
New Contributor

If they don't check in with the Casper Suite when they are off-campus, you could create a smart group with the criteria "Last Check-In" and the operator "more than x days ago". At least the detection should work with that.

Graeme
Contributor

AD has both a last login timestamp and a last password reset timestamp (assuming you have updated AD in the last 13 years :-)). Oldcmp is a windows command line tool that will list or list and delete computers that have not logged in for x number of days.

AD computer account passwords do not expire, they change every thirty days but don't expire They will not stop a computer logging on if it has not done so for (say) 2 years. What will cause a problem is if the computer is restored to previous state before the last password change. It will then pick up the password it was using at the time (which is now out of date) and loose AD binding.

Setting the password change interval to never (0) is not recommended by Microsoft as computer accounts are "security principals" and it is possible for a hacker to access your domain using a cracked password. How great the risk, and everything is a risk assessment I don't know but my uneducated thoughts think it would be fairly low.

Regards
Graeme