+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #1

    Default Computer Accounts expire after 30 days?

    Can anyone confirm this: While learning PKI, I was told that it's best practice to NOT make your root CA an Enterprise CA. Because you would be taking it offline for security reasons, then after 30 days the computer account would expire. Next you power it on would have to reset it's account in AD then remove and re-add it to the domain. Is this true?

    Reason I'm asking is we are issueing laptops to almost all our staff, so if they take them on vacation and don't login at the office for 30 days will they're computer accounts be expired?
    Reply With Quote Quote  

  2. SS
  3. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #2
    This article should help clear things up:

    Ask the Directory Services Team : Machine Account Password Process

    So, as I understand it, if the machine is OFF for more than 30 days nothing happens because the password change is initiated by the client computer - not active directory. If the machine were ON but not connected to the network for 30 days, the client would reset its password but not update AD and then would not be able to authenticate later.

    Since the server would be turned off, there would be no problems.

    Since your laptops would be on but not connected, there would be an issue. You can change the 30 day value to something much higher via Group Policy, however. Consult the above article for the settings.

    If you use a standalone CA rather than an Enteprise CA, you can't use the autoenrollment features necessary for features like NAP.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #3
    Do you have subordinate CAs? If you're just using your root to issue to some subordinates, make it a stand-alone and keep it offline. If you're a smaller organization and that's your own CA, just make it an enterprise and leave it online. The reason you take it offline is that if it gets compromised, you have to start from scratch.

    If you only use a small number of certificates, there's no point in having more than one CA. Why issue to a single subordinate CA and use that? You'd be in the exact same position had you been using your root CA. In either scenario, one CA getting compromised will compromise everything.

    Compare this to an organization that has a dozen CAs and tens of thousands of certificates. Having your root getting compromised in that situation will cause a much more significant problem than had it been offline and only one of the subordinate CAs been compromised (since only the certificates under that one would be affected).
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #4
    I'm not concerned about CA's at all. It was in learning them that I found the machine account password expires in 30 thing. Since it would take me 30 days to test this in the lab, I was hoping someone may have thought of this situation before and tested it.
    I have 200 teachers taking laptops home this summer, obviously they won't be logging into the school network for at least 30. So when they come back at the beginning of next school year am I going to be reseting 200 domain computer accounts and removing and re-adding 200 laptops to the domain? Yikes!!
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #5
    Quote Originally Posted by Claymoore View Post
    This article should help clear things up:

    Ask the Directory Services Team : Machine Account Password Process

    So, as I understand it, if the machine is OFF for more than 30 days nothing happens because the password change is initiated by the client computer - not active directory. If the machine were ON but not connected to the network for 30 days, the client would reset its password but not update AD and then would not be able to authenticate later.

    Since the server would be turned off, there would be no problems.

    Since your laptops would be on but not connected, there would be an issue. You can change the 30 day value to something much higher via Group Policy, however. Consult the above article for the settings.

    If you use a standalone CA rather than an Enteprise CA, you can't use the autoenrollment features necessary for features like NAP.
    I believe your root CA can be stand alone, and then your subordinate CA's can then be Enterprise. You would keep your stand alone Root CA offline. The reason for making your root CA stand alone is so you can keep it offline and not worry about the domain account expiring.
    Reply With Quote Quote  

  7. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #6
    Quote Originally Posted by rwwest7 View Post
    I believe your root CA can be stand alone, and then your subordinate CA's can then be Enterprise. You would keep your stand alone Root CA offline. The reason for making your root CA stand alone is so you can keep it offline and not worry about the domain account expiring.
    Actually the real problem is not the account expiring, it's if an Enterprise CA is offline the certificate chain cannot be verified - Windows expects them to be available - whereas a standalone CA is expected to be unavailable so that part of the chain is considered valid whether or not the machine can be contacted.
    Reply With Quote Quote  

  8. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #7
    Quote Originally Posted by astorrs View Post
    Actually the real problem is not the account expiring, it's if an Enterprise CA is offline the certificate chain cannot be verified - Windows expects them to be available - whereas a standalone CA is expected to be unavailable so that part of the chain is considered valid whether or not the machine can be contacted.
    Well that and the other main reason being for security purposes so your root doesn't get hacked.
    Reply With Quote Quote  

  9. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #8
    LOL yes royal that too
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #9
    Quote Originally Posted by astorrs View Post
    Actually the real problem is not the account expiring, it's if an Enterprise CA is offline the certificate chain cannot be verified - Windows expects them to be available - whereas a standalone CA is expected to be unavailable so that part of the chain is considered valid whether or not the machine can be contacted.
    That sounds right. It's just that on the CBT Nuggets videos he said keeping an Enterprise CA offline for 30 days would make the computers account expire. Maybe he was just wrong. I'm pretty sure I've had domain computers shut down for more than 30 days and then used them again with no problems.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks