VMware Cloud Community
jeremyts
Contributor
Contributor
‎11-30-2014 11:13 PM
Jump to solution

ESX Computer Object in Active Directory - pwdLastSet and lastLogon timestamps

Hi,

I’m trying to determine the regularity of account password changes and logons of ESX hosts when joined to Active Directory.

The Active Directory attributes I’m referring to here are the pwdLastSet and lastLogon timestamps.

Will the ESX host regularly change the password and therefore update the timestamp?

Does a process run on the host to trigger a regular logon event to Active Directory and therefore update the lastLogon timestamp?

Would appreciate a point in the right direction to documentation.

Cheers,

Jeremy

1 Solution

Accepted Solutions
bspagna89
Hot Shot
Hot Shot
‎12-01-2014 07:29 AM
Jump to solution

Hi,

I believe this is governed by your GPO settings on how often machine accounts change their passwords. If your firm has not changed this setting (GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Domain member: Maximum machine account password age) then it should be 30 days by default. Your ESX host should comply with this setting.

If you'd like to check here's how :

1. Enable SSH on one of the hosts joined to the domain (vCenter -> Configuration Tab-> Security Profile ->Properties (Above services) -> Start SSH).

2.Type "cat /etc/likewise/lsassd.conf" (WITHOUT ")

That should return a large output but you will need to scroll up and find where it says :

# Machine password expiration lifespan

    # Default: 30d

    # Minimum: 1h

    # Maximum: 60d

    machine-password-lifespan = 30d

Hope this helps.

New blog - https://virtualizeme.org/

View solution in original post

2 Replies
bspagna89
Hot Shot
Hot Shot
‎12-01-2014 07:29 AM
Jump to solution

Hi,

I believe this is governed by your GPO settings on how often machine accounts change their passwords. If your firm has not changed this setting (GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Domain member: Maximum machine account password age) then it should be 30 days by default. Your ESX host should comply with this setting.

If you'd like to check here's how :

1. Enable SSH on one of the hosts joined to the domain (vCenter -> Configuration Tab-> Security Profile ->Properties (Above services) -> Start SSH).

2.Type "cat /etc/likewise/lsassd.conf" (WITHOUT ")

That should return a large output but you will need to scroll up and find where it says :

# Machine password expiration lifespan

    # Default: 30d

    # Minimum: 1h

    # Maximum: 60d

    machine-password-lifespan = 30d

Hope this helps.

New blog - https://virtualizeme.org/
jeremyts
Contributor
Contributor
‎12-01-2014 06:14 PM
Jump to solution

Thanks @bspagna89. The information you posted about the lsassd.conf was extremely helpful! I guess in hindsight it should of been obvious given that the ESX hosts use the Likewise Identity Service.

I've still be unable to confirm when/how the lastLogon timestamp is updated. Maybe that's a question for the Likewise forum over at Beyond Trust.

Appreciate you taking the time to respond.

Cheers,
Jeremy

0 Kudos