Re: UserAcccountControl
- From: "Drew" <Drew@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 Jan 2006 11:01:02 -0800
I have a GPO that sets the age to 14 days. And I have the settings reapply
even when settings have not changed, so even if overwritten locally, they
should revert back to 14 days during the periodic refresh, or at the very
least, at next restart.
Do you agree?
Does this configuration resolve your concerns with using the passwordlastset
attribute?
Can you elaborate more on how some VPN applications can interfer with this?
Thanks
"Joe Richards [MVP]" wrote:
> Yes, the useraccountcontrol flag has no bearing on whether computers will change
> passwords or not. Unfortunately, there really isn't much you can do TO enforce
> it, computer passwords do not expire and the client chooses whether or not it
> will change the password or not. You can set a policy that says computers will
> change their passwords in x days (by default this is already in place of 30 days
> for 2K or better and 7 days for NT4) but that can still be overridden at the
> local client with various VPN packages etc.
>
> As for the uac setting, it is up to you if you want to change them or not, there
> is no harm either way.
>
> You might want to look at a tool I wrote to help with cleaning up accounts. It
> is called oldcmp.
>
> http://www.joeware.net/win/free/tools/oldcmp.htm
>
> If you have a domain functional K3 Domain you can tell it to use
> lastlogontimestamp instead of password last set. The tool will not let you
> immediately delete, you must disable first. Then I recommend you leave accounts
> disabled for a while prior to deleting.
>
> Basically there is NO guaranteed way of determining if an account is in use or
> not. It is all best effort.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Drew wrote:
> > I want to ensure that my machine accounts change their password on a regular
> > basis. So i can weed out the stale accoutns.
> >
> > Does it matter what value they have set? Will they still change their
> > passwords even when set to 4128?
> >
> > It does appear that the machines with the 41xx value were created using
> > ADUC, the others were created during the initial AD migrated, when some tool
> > was used to migrate them to AD.
> >
> > Should I run a script that changes all the values from 4130 to 4098 an 4128
> > to 4096?
> >
> >
> > "Joe Richards [MVP]" wrote:
> >
> >> It depends on how the accounts are created on what useraccountcontrol value they
> >> will have. The "password not reqd" flag isn't necessary, it is a bug in ADUC
> >> that is leaves that flag set when creating the machine accounts.
> >>
> >> joe
> >>
> >> --
> >> Joe Richards Microsoft MVP Windows Server Directory Services
> >> www.joeware.net
> >>
> >>
> >> Drew wrote:
> >>> I have seen a similiar page like this before. What it appears to be telling
> >>> me is that those accounts with values 41xx are machine accounts that do not
> >>> require a password.
> >>>
> >>> How is this possible?
> >>>
> >>> I have been unable to find a way to enable the "password not required" for
> >>> machine accounts, outside of changing the UserAccountControl attribute nor
> >>> have I run any script that would have changed this?
> >>>
> >>> "Jerold Schulman" wrote:
> >>>
> >>>> On Wed, 28 Dec 2005 07:28:03 -0800, "Drew" <Drew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >>>>
> >>>>> Hello Gooroos
> >>>>>
> >>>>> I have a question regarding the UserAccountControl attribute for
> >>>>> workstations in AD. I have some XP machine accounts that have a
> >>>>> useraccountcontrol value of
> >>>>>
> >>>>> Enabled - 4096
> >>>>> Disabled - 4098
> >>>>>
> >>>>> then I also have some that show
> >>>>>
> >>>>> Enabled - 4128
> >>>>> Disabled - 4130
> >>>>>
> >>>>> why am I seeing this discrepancy?
> >>>> See tip 8071 » How can I decode the userAccountControl attribute?
> >>>> in the 'Tips & Tricks' at http://www.jsifaq.com
> >>>>
> >>>>
> >>>> 4096 is WORKSTATION_TRUST_ACCOUNT
> >>>> 4098 is WORKSTATION_TRUST_ACCOUNT and ACCOUNTDISABLE
> >>>>
> >>>> 4128 is WORKSTATION_TRUST_ACCOUNT and PASSWD_NOTREQD
> >>>> 4130 is WORKSTATION_TRUST_ACCOUNT and PASSWD_NOTREQD and ACCOUNTDISABLE
> >>>>
> >>>> Jerold Schulman
> >>>> Windows Server MVP
> >>>> JSI, Inc.
> >>>> http://www.jsiinc.com
> >>>> http://www.jsifaq.com
> >>>>
>
.
- Follow-Ups:
- Re: UserAcccountControl
- From: Joe Richards [MVP]
- Re: UserAcccountControl
- Prev by Date: Re: isolating a subdomain in AD
- Next by Date: Re: GC and IM when I have only two Domain Controllers
- Previous by thread: GC and IM when I have only two Domain Controllers
- Next by thread: Re: UserAcccountControl
- Index(es):
Relevant Pages
|
