This question follows an audit on my AD where Windows servers with very old PasswordLastSet attributes have been discovered.
I'm familiar with using the Pwd-last-set attribute in order to check when an AD user has last changed his password. But what does this attribute mean when talking about a computer-type object like a laptop or a windows server ?
The Microsoft documentation states it is "The date and time that the password for this account was last changed". I don't think this means the local administrator of the computer, since I've clearly not changed mine at the date my Pwd-last-set attribute indicates.
Finally, if it isn't the local administrator nor my account, how can I set a new password that will refresh the attribute ?
EDIT So the password is actually the Machine Account password used for communication between the computer/server and the DC It's supposed to be renewed every 30 days on default Windows settings through the following registery key : HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters
I still don't have a way to easily force the renew of this password but found some leads :
- Put the MaximumPasswordAge in the registery to a low number and restart the machine
- Use the "Reset Account" options when right-clicking the object in the active directory -> What are the consequences for a server ?
- Use the Reset-ComputerMachinePassword Powershell command -> What are the consequences for a server ?
