![]() ![]() For instance, if an AD computer account has a password age older than 180 days, then it can be flagged as a stale record.įor large companies, due diligence needs to be performed and the reasonable threshold needs to be determined accordingly. ![]() We simply need to query the password age of all computers and return those records where the age is greater than a pre-determined, reasonable threshold. This is a very interesting fact as it allows us to detect stale computer records. By default, computers change their passwords every 30 days (see: the Microsoft blog on Machine Account Password Process here). Solution ConceptĪn Active Directory Computer account is associated with a password and although this operation is transparent to us humans, computers also login to the Active Directory domain and change their password on a regular basis. This article explains one method which can be regularly used to detect and remove these stale computer records from Active Directory. Maintaining a valid and current set of AD accounts is particularly important in preventing security compliance issues. ![]() Eventually, Active Directory becomes polluted with stale computer accounts that are no longer associated with an existing computer. These actions create disconnections between the physical network objects and their Active Directory counterparts. As organizations shift and change, it is common for new computers to be put into operation, old computers to be decommissioned, or existing computers to be renamed labs and training centers are built one day and retired another day. Over time, this growth can easily get out of control if some effort is not put into maintaining a healthy set of Active Directory records. Share This is a How-To article on using Goverlan to detect and quarantine stale Active Directory computer records.Īs your organization grows, your IT infrastructure follows. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |