I understand domain-joined computers have machine accounts in AD and these accounts have passwords that expire (apparently every 30 days by default) and those passwords are automatically changed without user intervention.
Given that this is known to cause issues when restoring snapshots of domain-joined virtual machines, is it possible to query the domain-joined computer or AD to determine when the machine account password is next scheduled to be changed?
Best Answer
It is possible to query the domain for this, the script below will tell you when a particular machine's domain password was last reset.
(I'd love to give credit for the above script but it's been handed around from person to person and modified in various ways, I have no idea where it originally came from)
Save this as something like MachinePasswordDate.vbs, doubleclicking the file in Windows should pop up a box you can put a machine name into, which should then query the domain and tell you when that machine's password was last changed.
If you're regularly restoring virtual machine snapshots it might be worth having a look at the security policies on those machines before you save off an image. You can change the machine password reset interval up to 999 days quite easily, assuming your domain GPOs won't override it, and your security policy allows this sort of thing:
Click Start, click Run, type Gpedit.msc, and then press ENTER.
Expand Local Computer Policy, Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.
Configure the following settings:
Domain Member: Disable machine account password changes (Enabled)
Domain Member: Maximum machine account password age (999 days)
Domain Controller: Refuse machine account password changes (Enabled)