Resolution
What does the Expired Computers report do and how should it be used?
fact
Domain Migration Administrator 7.1
fix
In DMA, the 'Expired Computers' report helps you identify computer accounts that are likely to be expired because they have not synchronized their passwords recently. The migration of computers is not dependent upon any of the information in this report. The report simply provides the administrator with a tool to determine which computers may be inactive, and therefore may not be available when DMA sends out an agent when attempting to migrate that computer.
The 'Expired Computers' report will include any computer that has not synchronized its password with the domain in 30 days. In other words, the password age is greater than 30 days old. This computer account is reported as expired, but this may not be a correct assumption. This report should be considered an educated guess at the machines that are no longer active in the domain. If a computer has not synchronized for more than 30 days, then it is likely that the computer is not online or has joined another domain.
This information should be used as a tool to determine if the account is inactive. Note that the list may include non-expired computers. Therefore, this report should be used as a tool in the process of determining which computers in the domain are no longer valid, and not used an authoritative list of which computer accounts are inactive.
Windows 2000 and XP machines attempt to synchronize their computer passwords with a domain controller every 30 days by default, and an NT 4 machine will attempt to synchronize every 7 days. This is explained in Microsoft Knowledge Base article 175468.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q175468
Note that there are some registry keys on each computer that can modified to change the default synchronization behavior. If the registry keys listed below are modified, passwords are never re-synchronized and most computers will be listed as expired by the report, even though they technically have not expired.
On a workstation or member server, use Regedt32 to review the following registry key;
HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
If the Value = DisablePasswordChange REG_DWORD 1
In this case, the password never expires, and DMA may include this computer in the report even though the password has not expired.
Also on a workstation or member server, use Regedt32 to determine if the following registry key is present;
Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = MaximumPasswordAge REG_DWORD
This key will change the default synchronization behavior resulting in computers being included in the report even though the password may not be expired.
On a domain controller:
Check the machine's domain controller to see if the following key has been defined:
Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Value = RefusePasswordChange REG_DWORD 1
If the domain controller has this value set to 1, then the password will not be re-synchronized, and DMA may include this computer in the report even though the password has not expired.
If you want to change the time used in the criteria for the Expired Computer Account report, refer to article NETIQKB16256.