This question follows an audit on my AD where Windows servers with very old PasswordLastSet attributes have been discovered.
I'm familiar with using the Pwd-last-set attribute in order to check when an AD user has last changed his password. But what does this attribute mean when talking about a computer-type object like a laptop or a windows server ?
The Microsoft documentation states it is "The date and time that the password for this account was last changed". I don't think this means the local administrator of the computer, since I've clearly not changed mine at the date my Pwd-last-set attribute indicates.
Finally, if it isn't the local administrator nor my account, how can I set a new password that will refresh the attribute ?
EDIT
So the password is actually the Machine Account password used for communication between the computer/server and the DC
It's supposed to be renewed every 30 days on default Windows settings through the following registery key : HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters
I still don't have a way to easily force the renew of this password but found some leads :
- Put the MaximumPasswordAge in the registery to a low number and restart the machine
- Use the "Reset Account" options when right-clicking the object in the active directory -> What are the consequences for a server ?
- Use the Reset-ComputerMachinePassword Powershell command -> What are the consequences for a server ?
question from:
https://stackoverflow.com/questions/66050169/ad-what-is-the-meaning-of-the-pwd-last-set-attribute-for-a-windows-server 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…