Hi, for each client that gets provisioned the AMT process creates an object in AD for AMT. The object is created with a non expiring password, can we change this and if so how?
also each object is added to the domain users group., can this be changed as well?
both the non expiring password and the domain users group were spotted by our IT security team.
Do you also have detailed documentation about the risks if any of these objects that are created.
they seem like half user objects and half computer object??
you can search and find them in AD under a user and groups search but when you right click on any of them you have the computer object menu, reset, disable etc....choices
let me know
I would suggest checking the AMT documentation at:
Here is what the Intel SCS 7.0 User Guide says:
"If the ADOU has a maximum password age password policy defined in AD, the password must be replaced before it expires." So I think you set it in AD.
If you are using Intel SCS 7.0, page 15 of the User Guide (available in the download zip file) tells you how to schedule a maintenance task to reset the password.
I don't know the answer to the security implications, but I think they are greatly reduced if you set a password expiration policy.