Hi,
I’m trying to determine the regularity of account password changes and logons of ESX hosts when joined to Active Directory.
The Active Directory attributes I’m referring to here are the pwdLastSet and lastLogon timestamps.
Will the ESX host regularly change the password and therefore update the timestamp?
Does a process run on the host to trigger a regular logon event to Active Directory and therefore update the lastLogon timestamp?
Would appreciate a point in the right direction to documentation.
Cheers,
Jeremy
Hi,
I believe this is governed by your GPO settings on how often machine accounts change their passwords. If your firm has not changed this setting (GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Domain member: Maximum machine account password age) then it should be 30 days by default. Your ESX host should comply with this setting.
If you'd like to check here's how :
1. Enable SSH on one of the hosts joined to the domain (vCenter -> Configuration Tab-> Security Profile ->Properties (Above services) -> Start SSH).
2.Type "cat /etc/likewise/lsassd.conf" (WITHOUT ")
That should return a large output but you will need to scroll up and find where it says :
# Machine password expiration lifespan
# Default: 30d
# Minimum: 1h
# Maximum: 60d
machine-password-lifespan = 30d
Hope this helps.
Hi,
I believe this is governed by your GPO settings on how often machine accounts change their passwords. If your firm has not changed this setting (GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Domain member: Maximum machine account password age) then it should be 30 days by default. Your ESX host should comply with this setting.
If you'd like to check here's how :
1. Enable SSH on one of the hosts joined to the domain (vCenter -> Configuration Tab-> Security Profile ->Properties (Above services) -> Start SSH).
2.Type "cat /etc/likewise/lsassd.conf" (WITHOUT ")
That should return a large output but you will need to scroll up and find where it says :
# Machine password expiration lifespan
# Default: 30d
# Minimum: 1h
# Maximum: 60d
machine-password-lifespan = 30d
Hope this helps.
Thanks @bspagna89. The information you posted about the lsassd.conf was extremely helpful! I guess in hindsight it should of been obvious given that the ESX hosts use the Likewise Identity Service.
I've still be unable to confirm when/how the lastLogon timestamp is updated. Maybe that's a question for the Likewise forum over at Beyond Trust.
Appreciate you taking the time to respond.
Cheers,
Jeremy