4

After executing some queries (dsquery computer domainroot -stalepwd), using dsquery, I was told this command connects to the available DC and for this reason the results might be untruthful because the DC's do not replicate computer accounts password.

After some research I wasn’t able to understand if this true or not, meaning: When I'm using the command "dsquery computer domainroot -stalepwd" would the result take into account all the DC's information or the one I’m connecting to by default?

Thanks in advance!

JFA

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
jffalmeida
  • 53
  • 2

1 Answers1

3

The command is accurate because it will search for computers whose password has not changed in the number of days that you specify. (By default, computers change their own passwords every 30 days as long as they're connected to the domain.)

Source

This information is replicated amongst domain controllers, in the pwdLastSet attribute, so assuming replication is healthy, it will be consistent throughout the domain. You will get the same answer no matter which DC you query.

According to MS-ADTS, pwdLastSet is urgently replicated.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Remember to take care if you have created computer accounts for non Windows systems that do not change their password – Clayton Jul 22 '16 at 16:25