The Danger of Machine Account Password Changes

Every so often I am asked to help analyze weird issues when assigning group memberships or permissions - accounts are not found and the Event Log shows unsettling messages. Many of these situations can be traced back to the operating system using a different machine account password than the domain is aware of.

Yes, Machine Accounts Have Passwords!

Just like user accounts, a machine object in Active Directory has a password to identify the machine and to protect the machine account. This password can expire as well and needs to be changed regularly. Usually this happens automatically bwtween the domain member and a domain controller without any intervention by the user. But sometimes a machine forgets it password - sort of …

How Can a Machine Forget its Password?

Don't worry! The machine account password is not lost by freak occurrence - but it is a common problem in virtual environments. Whenever a snapshot is restored, a virtual machine is prone to this issue.

By default, a machine account password is changed every 30 days. When a virtual machine has been in use for more than 30 days and is then reset to an earlier state, the snapshot contains an outdated password causing the machine to loose its connection to the domain.

In the past, image-based backup and restore has caused the same problem as the machine account password is stored in the image - but it happens less often. The process of creating an image of a system is very time-consuming - as is the restore process. Therefore, the issue occurred very seldom.

With the rise of operating system streaming (like Citrix Provisioning Server), the machine account password needs to be managed by the product as reboots effectively reset a machine to a state predefined by a shared disk image. For example, Provisioning Server stored machine account passwords in the configuration database and updates information whenever an automatic change
occurs. Unfortunately, this process is prone to failure when the database is offline although a snapshot is maintained by Provisioning Server (see Administrator's Guide, chapter 15, "Offline Database Support").

How to Resolve the Issue

The issue is very quickly resolved by re-joining the machine to the domain.

Configuring the Password Expiry

Contrary to user account password policy, the machine account password is managed by two options:

  • The change interval specified the time between forced changes of the machine account password.
  • The expiry defines whether machine account password expires at all.

Both options are configured through group policies under the following node:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  • Domain member: Disable machine account password changes
  • Domain member: Maximum machine account password age

Both options are not configured by default.

Best Practices in Virtual Environments

In virtualized environments, machine account password changes should be disabled. By preventing machines from changing this password automatically, domain synchronization issues are effectively remedied.

++++ Wir suchen Verstärkung ++++ Arbeitskultur, IT Kompetenz und Innovation werden bei sepago zum Wohle unserer Mitarbeiter und Kunden maximal gefördert. Das ist der Sinn der sepago. Wenn Dich das anspricht, dann schau doch mal im Karrierebereich.

2 responses for "The Danger of Machine Account Password Changes"

Actually, I do not agree that

Actually, I do not agree that machine account password changes should be disabled by default in virtualized environments (as your blog article states).
This is a huge security risk as it opens the door to an untrusted machine account spoofing a trusted machine account and redices the overall security of the entire enterprise.

There are situations where these changes fit and there are situations where these changes do not fit.

In a previous life I did IT for a financial institution. We had IT audits once each year and that included hacking audits (both physical, social, and security) - it is very humbling to have a white hat hacker from an auditing company do through and comprimise your environment. And it is a far bigger learning experience to remidiate after such an audit.

Disabling machine account password changes has its place. And it works really well in test and development environments. However, in the enterprise is a totally different issue and should be considered for both its positive and negative impacts - and on an enterprise by enterprise basis.

Consiously reducing the security of your enterprise is a very serious thing that needs proper consideration.

BrianEh: That's great that

BrianEh: That's great that you argue against doing this, but you never mention your own solution. I wouldn't even bother spoofing a computer account, especially if you can use NTLM passthrough.

Microsoft Competence Blog

Application Infrastructure mit Microsoft Technologien ist ein wichtiges Fokusthema der sepago. Wir haben langjährige Projekterfahrung, sind neugierig auf neue Technologien und möchten diese bis in letzte Detail verstehen. Die Competence Blogs berichten davon.

RSS-Feed Alle Artikel des Competence Blogs abonnieren.

 

About the author

Bild von Nicholas Dille
Nicholas Dille

Blogs about Centralized computing, virtualization and performance monitoring

All articles