Jamf Nation Community

We often set it to 0 for devices that are off the network for extended periods of time.

I've known a few AD admins that use the password change functionality to detect and clear out stale computer records, so you could lose that ability, but other than that it's a positive change.

Thanks heaps for the comments and looking from a broader perspective.

Setting pass interval to 0 seems like most likely solution but like @davidacland said, we may lose the ability to clear out stale computers. I would actually like that manageability of detecting and even manage computers that have not been on campus for sometime...

If they don't check in with the Casper Suite when they are off-campus, you could create a smart group with the criteria "Last Check-In" and the operator "more than x days ago". At least the detection should work with that.

AD has both a last login timestamp and a last password reset timestamp (assuming you have updated AD in the last 13 years :-)). Oldcmp is a windows command line tool that will list or list and delete computers that have not logged in for x number of days.

AD computer account passwords do not expire, they change every thirty days but don't expire They will not stop a computer logging on if it has not done so for (say) 2 years. What will cause a problem is if the computer is restored to previous state before the last password change. It will then pick up the password it was using at the time (which is now out of date) and loose AD binding.

Setting the password change interval to never (0) is not recommended by Microsoft as computer accounts are "security principals" and it is possible for a hacker to access your domain using a cracked password. How great the risk, and everything is a risk assessment I don't know but my uneducated thoughts think it would be fairly low.

Regards
Graeme