How can I determine which computer accounts haven't had their passwords changed?
February 26, 2006
A. By default computers have a password (which originally is the name of the computer account!) that's changed every 30 days. If a computer's password isn't changed (e.g., its been offline), then 60 days after its last password change the computer account won't be able to authenticate to the domain until its password is reset.
You can check for computers that haven't changed their password for more than 60 days (and could therefore be considered "stale") using the dsquery command on Windows Server 2003 and later systems. Here's a sample command execution and output:
C:dsquery computer -stalepwd 60"CN=THANOS,CN=Computers,DC=savilltech,DC=com""CN=WKSSAVD810,CN=Computers,DC=savilltech,DC=com""CN=KEVINLITTLE,CN=Computers,DC=savilltech,DC=com""CN=SAVDALWKS02,CN=Computers,DC=savilltech,DC=com""CN=SAVDALMOM01,CN=Computers,DC=savilltech,DC=com"
This output shows I have five machines that haven't changed their passwords for more than 60 days and are therefore unable to connect to the domain.
About the Author
You May Also Like