I was looking for stale computer accounts within our domain using the PasswordLastSet date when I discovered hundreds of computer objects with the useraccountcontrol value of 4128 (WORKSTATION_TRUST_ACCOUNT and PASSWD_NOTREQD) instead of the usual 4096 (WORKSTATION_TRUST_ACCOUNT) value.
Most of these computers were part of a migration from another domain but many were created recently.
I would like to require all computers maintain a secure password with the domain so I could discover stale computer objects. I created a script which could make that change but I am unsure of any negative consequences that might result.
Have you had experience changing this useraccountcontrol value? What would you advise?
Thanks!