Disabled computer accounts change their password

  • 45 Views
  • Last Post 04 September 2015
K3llybush posted this 02 September 2015

I’m working with a customer and I’m building their processesin AD and one of those processes, is stale object removal.  They’ve been rolling through a project to doan XP upgrade and the majority of the Win7 machines are getting put out new.  That being said, the XP machines just getyanked.  In going through my steps, I tryto limit the disruption as best I can.  Icheck the passwordlastset and narrow down my list.  After that I make connection attempts to themachines to make sure they’re not up. After all this I’ve got my subset of computer accounts to disable.  The day/night of the change I do the processall over again just to make sure I didn’t over look something.
So here is my scenario:
I have now 500ish computer objects sitting in a staleholding OU that have been disabled since August 7th.  Out of 515 computers I disabled, I’ve had 3machines that I’ve needed to re-enable for their users.  What I’m noticing, after pouring over moredata, is that Computer001 has been disabled for almost a month now and when I go back and run my report on all XP machines in AD again, I now find thatComputer001 changed it’s password on 8/24/2015 17:57.  Keep in mind Computer001 is disabled and hasbeen since August 7th.  What’sabout to happen is a user is going to call in, in the next week or so and saythey can’t log into Computer001.
What is going on here?
I know computer account passwords never expire but I wouldhave expected users to NOT be able to log onto computers whose accounts havebeen disabled.  Furthermore, I would haveexpected that users would not only have issues of logging in but would not beable to work for a week as they did with the last 3 cases.  After that they then all of the sudden have issues some random day logging in with nowarning.  The whole time the computer they are working on has had it's account disabled for at least 2 weeks.
Thoughts?
Windows XP machines, 2003 Domain, All 2003 DCs
Thanks,
Kelly Bush

show

Order By: Standard | Newest | Votes
skitzsofrenick posted this 02 September 2015

Actually they do expire. By enabling the workstation it starts talking again and updates. I have seen issues where users were able to still log in due to cached

credentials because the security between ADDS and the workstation was corrupt.



 

https://technet.microsoft.com/en-us/library/jj852252.aspx

 

 

 

show

barkills posted this 02 September 2015

Might you delete the computer objects and rely on AD recycle bin for cases where you need to recover the computer account?

 

show

K3llybush posted this 02 September 2015

2003 Domains do not have AD recycle bin.  Best practice is to disable objects before you delete them in 2003.
Thanks,
Kelly Bush

-------- Original Message --------
Subject: RE: [ActiveDir] Disabled computer accounts change their
password
From: Brian Arkills <barkills@xxxxxxxxxxxxxxxx>
Date: Wed, September 02, 2015 12:57 pm
To: "activedir@xxxxxxxxxxxxxxxx" <activedir@xxxxxxxxxxxxxxxx>

#wmQuoteWrapper /* Font Definitions / @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} #wmQuoteWrapper @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} #wmQuoteWrapper @font-face {font-family:Verdana; panose-1:2 11 6 4 3 5 4 4 2 4;} #wmQuoteWrapper / Style Definitions */ p.MsoNormal, #wmQuoteWrapper li.MsoNormal, #wmQuoteWrapper div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper a:link, #wmQuoteWrapper span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} #wmQuoteWrapper a:visited, #wmQuoteWrapper span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} #wmQuoteWrapper span.EmailStyle17 {mso-style-type:personal-reply; font-family:"Calibri",sans-serif; color:#1F497D;} #wmQuoteWrapper .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} #wmQuoteWrapper @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} #wmQuoteWrapper div.WordSection1 {page:WordSection1;}

Might you delete the computer objects and rely on AD recycle bin for cases where you need to recover the computer account? <a target="_blank" name="_MailEndCompose">&nbsp;</a>   From: <a href="mailto:activedir-owner@xxxxxxxxxxxxxxxx">activedir-owner@xxxxxxxxxxxxxxxx</a> [<a href="mailto:activedir-owner@xxxxxxxxxxxxxxxx">mailto:activedir-owner@xxxxxxxxxxxxxxxx</a>] On Behalf Of <a href="mailto:kelly@xxxxxxxxxxxxxxxx">kelly@xxxxxxxxxxxxxxxx</a><br> Sent: Wednesday, September 2, 2015 9:37 AM<br> To: <a href="mailto:activedir@xxxxxxxxxxxxxxxx">activedir@xxxxxxxxxxxxxxxx</a><br> Subject: [ActiveDir] Disabled computer accounts change their password   &nbsp;  I’m working with a customer and I’m building their processes in AD and one of those processes, is stale object removal.&nbsp; They’ve been rolling through a project to do an XP upgrade and the majority of the Win7 machines are getting put out new.&nbsp; That being said, the XP machines just get yanked.&nbsp; In going through my steps, I try to limit the disruption as best I can.&nbsp; I check the passwordlastset and narrow down my list.&nbsp; After that I make connection attempts to the machines to make sure they’re not up.&nbsp; After all this I’ve got my subset of computer accounts to disable.&nbsp; The day/night of the change I do the process all over again just to make sure I didn’t over look something.   &nbsp;   So here is my scenario:   &nbsp;   I have now 500ish computer objects sitting in a stale holding OU that have been disabled since August 7<sup>th</sup>.&nbsp; Out of 515 computers I disabled, I’ve had 3 machines that I’ve needed to re-enable for their users.&nbsp; What I’m noticing, after pouring over more data, is that Computer001 has been disabled for almost a month now and when I go back and run my report on all XP machines in AD again, I now find that Computer001 changed it’s password on 8/24/2015 17:57.&nbsp; Keep in mind Computer001 is disabled and has been since August 7<sup>th</sup>.&nbsp; What’s about to happen is a user is going to call in, in the next week or so and say they can’t log into Computer001.   &nbsp;   What is going on here?   &nbsp;   I know computer account passwords never expire but I would have expected users to NOT be able to log onto computers whose accounts have been disabled.&nbsp; Furthermore, I would have expected that users would not only have issues of logging in but would not be able to work for a week as they did with the last 3 cases. &nbsp;After that they then all of the sudden have issues some random day logging in with no warning. &nbsp;The whole time the computer they are working on has had it's account disabled for at least 2 weeks.   &nbsp;   Thoughts?   &nbsp;   Windows XP machines, 2003 Domain, All 2003 DCs   &nbsp;   <br> Thanks,<br> <br> Kelly Bush<br /><br /><img class="shimage" id="sh_ef0905ca-2a36-438c-bcd1-a533012c4112" alt ="show" src ="/Content/Images/mail-expand.png"><div class="showhidecnt" id="more_ef0905ca-2a36-438c-bcd1-a533012c4112" style ="display:none"><p><br /><br /></p></div>

skitzsofrenick posted this 02 September 2015

Unfortunately the Recycle Bin is not available on 2003. 

L

 

 

 

show

slavickp posted this 02 September 2015

How do you populate the staled computers OU? I think you possibly bave a criterion that allows active computers to be incorrectly matked as stale e.g. less than 60 days since last password change.
Regards
Slav
MCM-DS

show

K3llybush posted this 03 September 2015

You can't do a password never expires on a computer account at least not for a single computer account in a 2003 domain.  There may be some hack via an ADSI edit trick but that would be, hopefully beyond the scope of the admins and what they are willing to do.  For what ever reason the only data I don't have is the lastlogon.  I've since started pulling that and I'm going to double back and check what I uploaded to the CR just to make sure I didn't capture it the first time, sometime tomorrow.
Aaron C,
Machine account password don't expire.  They have a maximum password age setting in AD yes, but they don't expire out like a user account does.  The machine will initiate the password change to AD if it realizes that it's password is beyond the mark.  If a machine has been sitting in a closet for 6 months and you put it back on the network and the computer account is still there, it will reach out to AD and change the password because they both still have the same pwd value.
So, the only thing I can think of is that the machines truly have been sitting off the network for a metric butt load of time and someone is turning them back on for whatever reason.  The only thing that I can't wrap my head around is that the password is getting changed when they turn the machine back on regardless of the state of the computer object in AD, meaning even if it's disabled.
And honestly, I don't know how I'm going to test this because I don't know if I can wait a month to run a wireshark cap on both ends of the chain and see what the packets and process monitors are telling me.  I may have to lab it up and see if I can reduce the time.
Please keep any an all suggestions coming, it keeps the wheels turning.
Thanks,
Kelly Bush

-------- Original Message --------
Subject: RE: [ActiveDir]
[ActiveDir]Disabledcomputeraccountschangetheir_passwor d
From: "Coleman, Hunter" <hcoleman@xxxxxxxxxxxxxxxx>
Date: Wed, September 02, 2015 4:52 pm
To: "activedir@xxxxxxxxxxxxxxxx" <activedir@xxxxxxxxxxxxxxxx>

#wmQuoteWrapper /* Font Definitions / @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} #wmQuoteWrapper @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} #wmQuoteWrapper @font-face {font-family:Verdana; panose-1:2 11 6 4 3 5 4 4 2 4;} #wmQuoteWrapper / Style Definitions */ p.MsoNormal, #wmQuoteWrapper li.MsoNormal, #wmQuoteWrapper div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper a:link, #wmQuoteWrapper span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} #wmQuoteWrapper a:visited, #wmQuoteWrapper span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} #wmQuoteWrapper p.MsoListParagraph, #wmQuoteWrapper li.MsoListParagraph, #wmQuoteWrapper div.MsoListParagraph {mso-style-priority:34; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper p.msolistparagraphcxspfirst, #wmQuoteWrapper li.msolistparagraphcxspfirst, #wmQuoteWrapper div.msolistparagraphcxspfirst {mso-style-name:msolistparagraphcxspfirst; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper p.msolistparagraphcxspmiddle, #wmQuoteWrapper li.msolistparagraphcxspmiddle, #wmQuoteWrapper div.msolistparagraphcxspmiddle {mso-style-name:msolistparagraphcxspmiddle; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper p.msolistparagraphcxsplast, #wmQuoteWrapper li.msolistparagraphcxsplast, #wmQuoteWrapper div.msolistparagraphcxsplast {mso-style-name:msolistparagraphcxsplast; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper p.msolistparagraphcxspfirst1, #wmQuoteWrapper li.msolistparagraphcxspfirst1, #wmQuoteWrapper div.msolistparagraphcxspfirst1 {mso-style-name:msolistparagraphcxspfirst1; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; line-height:115%; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper p.msolistparagraphcxspmiddle1, #wmQuoteWrapper li.msolistparagraphcxspmiddle1, #wmQuoteWrapper div.msolistparagraphcxspmiddle1 {mso-style-name:msolistparagraphcxspmiddle1; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; line-height:115%; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper p.msolistparagraphcxsplast1, #wmQuoteWrapper li.msolistparagraphcxsplast1, #wmQuoteWrapper div.msolistparagraphcxsplast1 {mso-style-name:msolistparagraphcxsplast1; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; line-height:115%; font-size:12.0pt; font-family:"Times New Roman",serif;} #wmQuoteWrapper span.EmailStyle24 {mso-style-type:personal-reply; font-family:"Calibri",sans-serif; color:#1F497D;} #wmQuoteWrapper .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} #wmQuoteWrapper @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} #wmQuoteWrapper div.WordSection1 {page:WordSection1;}

Any chance that these computer objects have “Password Never Expires” set? Maybe in addition to filtering on pwdLastSet, also look at lastLogonTimeStamp. &nbsp;   From: <a href="mailto:activedir-owner@xxxxxxxxxxxxxxxx">activedir-owner@xxxxxxxxxxxxxxxx</a> [<a href="mailto:activedir-owner@xxxxxxxxxxxxxxxx">mailto:activedir-owner@xxxxxxxxxxxxxxxx</a>] On Behalf Of <a href="mailto:kelly@xxxxxxxxxxxxxxxx">kelly@xxxxxxxxxxxxxxxx</a><br> Sent: Wednesday, September 2, 2015 3:24 PM<br> To: <a href="mailto:activedir@xxxxxxxxxxxxxxxx">activedir@xxxxxxxxxxxxxxxx</a><br> Subject: RE: [ActiveDir] _[ActiveDir]_Disabled_computer_accounts_change_their_passwor d   &nbsp;  LDAP Query for any computer object that contains Operating System starts with Windows XP*   &nbsp;   Take the list from above and run it through a PS script to get attribute data, filter that list based on passwordlastset   &nbsp;   If password is newer than 60 days remove from list   &nbsp;   Ping computer   &nbsp;   If computer pings remove from list   &nbsp;   Submit CR to disable computers   &nbsp;   Run through the above process again to see if anything magically came back alive the day/night of the change   &nbsp;   Move and disable computer account via PS   &nbsp;   ---------------------   &nbsp;   For example:   On July 23rd, 2015 &nbsp;I ran a script to capture a lot of this data, Computer-002 came back with a password last changed on Feb 15, 2015. &nbsp;Computer-002 was put in the list of computers that was considered stale. &nbsp;You couldn't connect to it, it's password was stale, by all means it was gone from the network in our perspective. &nbsp;On August 7th, 2015 I had a CR to move and disable this account, before I did this I ran through my process again. The computer was still dead. &nbsp;On August 7th, 2015 around 0300 CST the account was moved and disabled in the stale holding OU. &nbsp;The computer account sat there for over 2 weeks disabled. &nbsp;On August 18th, 2015 at 1136 hours the password was updated. &nbsp;When I ran a PS query the Enabled data showed false, so it was still disabled.   &nbsp;   The email I got from the service desk, after I told them all the above read like this:   &nbsp;   Date 8/26/2015 1300 hours   &nbsp;   That's odd because Alfonso was logged into the PC all morning today.&nbsp;   &nbsp;   Keep in mind the dates. &nbsp;The user didn't have a problem until 8/26/15 and was logged in that morning to a computer that was disabled and replicated through AD.   &nbsp;   It wasn't until that afternoon the user wasn't able to get back in.   &nbsp;   <br> Thanks,<br> <br> Kelly Bush   &nbsp;    -------- Original Message --------<br> Subject: Re:_[ActiveDir]_Disabled_computer_accounts_change_their_passwor<br> d<br> From: &lt;<a target="_blank" href="mailto:sl@xxxxxxxxxxxxxxxx">sl@xxxxxxxxxxxxxxxx</a>&gt;<br> Date: Wed, September 02, 2015 3:54 pm<br> To: "<a target="_blank" href="mailto:activedir@xxxxxxxxxxxxxxxx">activedir@xxxxxxxxxxxxxxxx</a>" &lt;<a target="_blank" href="mailto:activedir@xxxxxxxxxxxxxxxx">activedir@xxxxxxxxxxxxxxxx</a>&gt;   How do you populate the staled computers OU? I think you possibly bave a criterion that allows active computers to be incorrectly matked as stale e.g. less than 60 days since last password change.    &nbsp;   Regards   &nbsp;   Slav   &nbsp;   MCM-DS   &nbsp;   &nbsp;     From:&nbsp;<a href="mailto:kelly@xxxxxxxxxxxxxxxx" target="_blank">kelly@xxxxxxxxxxxxxxxx</a><br> Sent:&nbsp;‎Thursday‎, ‎3‎ ‎September‎ ‎2015 ‎2‎:‎36‎ ‎AM<br> To:&nbsp;<a href="mailto:activedir@xxxxxxxxxxxxxxxx" target="_blank">activedir@xxxxxxxxxxxxxxxx</a>    &nbsp;    I’m working with a customer and I’m building their processes in AD and one of those processes, is stale object removal.&nbsp; They’ve been rolling through a project to do an XP upgrade and the majority of the Win7 machines are getting put out new.&nbsp; That being said, the XP machines just get yanked.&nbsp; In going through my steps, I try to limit the disruption as best I can.&nbsp; I check the passwordlastset and narrow down my list.&nbsp; After that I make connection attempts to the machines to make sure they’re not up.&nbsp; After all this I’ve got my subset of computer accounts to disable.&nbsp; The day/night of the change I do the process all over again just to make sure I didn’t over look something.   &nbsp;   So here is my scenario:   &nbsp;   I have now 500ish computer objects sitting in a stale holding OU that have been disabled since August 7<sup>th</sup>.&nbsp; Out of 515 computers I disabled, I’ve had 3 machines that I’ve needed to re-enable for their users.&nbsp; What I’m noticing, after pouring over more data, is that Computer001 has been disabled for almost a month now and when I go back and run my report on all XP machines in AD again, I now find that Computer001 changed it’s password on 8/24/2015 17:57.&nbsp; Keep in mind Computer001 is disabled and has been since August 7<sup>th</sup>.&nbsp; What’s about to happen is a user is going to call in, in the next week or so and say they can’t log into Computer001.   &nbsp;   What is going on here?   &nbsp;   I know computer account passwords never expire but I would have expected users to NOT be able to log onto computers whose accounts have been disabled.&nbsp; Furthermore, I would have expected that users would not only have issues of logging in but would not be able to work for a week as they did with the last 3 cases. &nbsp;After that they then all of the sudden have issues some random day logging in with no warning. &nbsp;The whole time the computer they are working on has had it's account disabled for at least 2 weeks.   &nbsp;   Thoughts?   &nbsp;   Windows XP machines, 2003 Domain, All 2003 DCs   &nbsp;   <br> Thanks,<br> <br> Kelly Bush<br /><br /><img class="shimage" id="sh_7134d9e9-ea63-422b-8813-a533012c54f9" alt ="show" src ="/Content/Images/mail-expand.png"><div class="showhidecnt" id="more_7134d9e9-ea63-422b-8813-a533012c54f9" style ="display:none"><p><br /><br /></p></div>

jeremyts posted this 03 September 2015

Generally speak if a computer hasn’t changed its password in more than 90 days, you should consider it stale.

 

Even in your scenario where a machine has been stored for a lengthy period of time, it would then typically be re-imaged/refreshed before putting it back on

the network. I wouldn’t assume that it should be reconnecting to an existing object. That wouldn’t be a great practice.

 

I go for 2 values ANDed together:

 

pwdlastset is greater than 90 days ago

AND

lastlogontimestamp is greater than 30 days ago

 

If these are both true, your object is more than likely to be stale.

 

There’s always going to be the odd machine that doesn’t fall into this, but I find it works well for me, especially workstations.

 

Ping is not always a valid test due to local and internal firewalls. Also, if DNS Scavenging is not correct, you could actually be pinging a completely different

machine without realising it.

 

Cheers,

Jeremy

 

show

barkills posted this 03 September 2015

The only thing that I can't wrap my head around is that the password is getting changed when they turn the machine back on regardless of the state of the computer object in AD, meaning even if it's disabled.   [BA] I don’t know what the expected password change behavior is for a computer with a disabled account.   If I wrote the code here, I think I’d want a computer with a disabled computer account to still be able to update its password, but not do any other activities. You keep the account password current, but don’t allow the computer to do anything else.   So I’m not bothered by what you seem to be observing. ;)

kevinrjames posted this 04 September 2015

No matter how I tried, I could not get a disabled computer account to update a machine account password. A nice discussion of the process is described here and implies that the computer must be able to logon (and therefore be enabled) in order to change the password. http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx  There’s also the case that something else might be causing the computer objects password to be set. Specifically ‘resetting’ the security channel on a disabled object will do it. https://support.microsoft.com/en-us/kb/216393   /kj 

show

ZJORZ posted this 04 September 2015

Agreed. To change your password (users and computers), you must be able to authenticate using your previous password, and after that successful event you can provide your new password. It would be really weird if you would be able to update a password without any form of authentication Have you checked the metadata of those objects to see WHEN (you already know that) and WHERE (which DC) the password was updated. The check the security logs of the originating DC (hopefully your DC still has not rolled over the events) Have you also checked the permissions of those objects to see who/what potentially could have updated the password? Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

Close