On Thu, Aug 26, 2021 at 8:11 PM Christian, Mark
<mark.christian(a)intel.com> wrote:
[W]hy bother with updating the machine account password?
For sites that have a lot of machine churn, where machine accounts
aren't reliably purged from AD when the underlying host is
decommissioned, disabling and/or purging machine accounts with old
passwords is essentially a garbage collection activity, to prevent
stale machine accounts from continuing to exist in AD in perpetuity.
Also, some sites must conform with security guidelines that *require*
frequent changes of machine account passwords:
https://www.stigviewer.com/stig/microsoft_windows_server_2016/2021-03-05/...
Granted, that STIG rule applies to Windows machine accounts, not Linux
machine accounts, but disabling any machine account in AD whose
password is older than 30 days is one way to detect any Windows
clients that are nonconforming with the STIG. And in many cases it's
easier to apply that rule globally than on a per-OU basis (to exempt
non-Windows machine accounts).