Microsoft KB Archive/309799

= HOW TO: Prevent Users From Changing a Password Except When Required in Windows 2000 =

Article ID: 309799

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server

-



This article was previously published under Q309799



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

IN THIS TASK
SUMMARY How to Configure a System Prompt Requirement to Change Passwords
 * How to Configure a Site, Domain, or Organizational Unit to Require a System Prompt to Change Passwords
 * How to Disable the Change Password Button for One or More Specific Users

REFERENCES



SUMMARY
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

This step-by-step article describes how to prevent users from changing their password except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows 2000 Security scheme. You can use a Windows 2000 Group Policy to set minimum and maximum password ages. A minimum password age prevents users from changing passwords too frequently. Frequent password changes can be used by users to circumvent a password-history setting and lead to more calls to the help desk because of forgotten passwords.

back to the top

How to Configure a System Prompt Requirement to Change Passwords
Users can change their password during the time period between the minimum and maximum password ages. Your security design may require that users only change their passwords when they are prompted by the operating system at the maximum password age. You can configure Windows 2000 to allow users to change their passwords only when the operating system prompts them to do so.

You can implement this configuration for an entire domain by using a Group Policy or you can implement this configuration for one or more specific users by using the registry.

back to the top

How to Configure a Site, Domain, or Organizational Unit to Require a System Prompt to Change Passwords

 * 1) Start the Active Directory Users and Computers snap-in by using the Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, click Add, click Active Directory Users and Computers, click Add, click Close, and then click OK. The snap-in should now be visible in the left pane of your console.
 * 2) Expand the snap-in, and right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
 * 3) Click the Group Policy tab, click the Group Policy Object (GPO) you want to work with, and then click Edit. If there are no existing policies listed in the window, click New to create a new policy that you can choose a name for, and then click Edit.
 * 4) Expand the policy, and then expand the User Configuration node. Expand the Administrative Templates node, and then expand the System node.
 * 5) Click the Logon/Logoff node.
 * 6) Right-click the Disable Change Password policy, and then click Properties.
 * 7) On the Policy tab, click the Enabled option, and then click OK.
 * 8) Close the Group Policy windows, and then quit the Active Directory Users and Computers console.
 * 9) At a command prompt, type secedit /refreshpolicy user_policy /enforce, and then press ENTER to update the policy.

NOTE: By default, policies that are applied to either users or computers at the domain level will apply to all users and/or all computers, in the domain. By default, the application of a policy to organizational units will apply to all user accounts and/or machine accounts that reside in that organizational unit, and any sub-organizational unit that may exist. A user account must either be moved into, or be created in, that organizational unit for it to apply. Just adding security groups that a user may be a member of to an organizational unit will not apply the policy to that user.

back to the top

How to Disable the Change Password Button for One or More Specific Users
The following procedure must be done on the user's computer:  At a command prompt, type regedit, and then press ENTER. View the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 Click the System key if it exists. If the key does not exist, click New on the Edit menu, and then click Key to create a new folder value called New Key #1. Rename the New Key #1 value to System. Click the System key. On the Edit menu, point to New, and then click DWORD Value. Rename the New Value #1 entry to DisableChangePassword, press ENTER, and then press ENTER again. Change the value from 0 to 1. Quit Registry Editor. Press CTRL+ALT+DELETE to see that the Change Password button is now unavailable.</ol>

back to the top

<div class="references_section">