Microsoft KB Archive/154501

From BetaArchive Wiki
Knowledge Base


How to disable automatic machine account password changes

Article ID: 154501

Article Last Modified on 10/30/2006



APPLIES TO

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Workstation 3.51



This article was previously published under Q154501

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry


SUMMARY

On Microsoft Windows NT-based computers and on Microsoft Windows 2000-based computers, machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. On Windows 2000-based computers, the machine account password automatically changes every 30 days. This article describes how an administrator can disable automatic machine account password changes.

Warning If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller.

MORE INFORMATION

You may want to disable the default automatic machine account password changes for any one of the following reasons:

  • You want to reduce replication occurrences. As a side effect of automatic machine account password changes, a domain with many client computers and domain controllers can cause replication to occur on a frequent basis. You can disable automatic machine account password changes to reduce replication occurrences.
  • You have two separate installations of Windows NT or Windows 2000 on the same computerin a dual-boot configuration. In this case, the only way to share the same machine account between the two installations of Windows NT or Windows 2000 is to use the default machine account password that is created when you join the domain.
  • If you frequently perform a clean installation of Windows NT or Windows 2000, you must have an administrator on the domain that can create the machine account on the domain. If that is a problem, you can leave the password of the machine account as the default.

In Windows NT versions 3.51 and later and in Windows 2000, you can disable the machine account password changes on a workstation by setting the DisablePasswordChange registry entry to a value of 1. To do so, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  3. In the right pane, click the DisablePasswordChange entry.
  4. On the Edit menu, click Modify.
  5. In the Value data box, type a value of 1, and then click OK.
  6. Quit Registry Editor.

In Windows NT version 4.0 and Windows 2000, you can disable the machine account password change by setting the RefusePasswordChange registry entry to a value of 1 on all domain controllers in the domain instead of on all workstations. To do so, follow these steps.

Note On Windows NT 4.0 domain controllers, you must change the RefusePasswordChange registry entry to a value of 1 on all backup domain controllers (BDCs) in the domain before you make the change on the primary domain controller (PDC). Failure to follow this order will cause event ID 5722 to be logged in the event log of the PDC.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type RefusePasswordChange as the registry entry name, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type a value of 1, and then click OK.
  7. Quit Registry Editor.

Note The RefusePasswordChange registry entry causes the domain controller to refuse password change requests only from workstations or member servers that run Windows NT version 4.0 or later.

If you set the RefusePasswordChange registry entry to a value of 1, after the workstation or member server first tries to change its machine account password, future attempts to change the password are prevented (by returning a distinct status code). A Windows NT 4.0-based computer will try to change its machine account password again in seven days, and a Windows 2000-based computer will try again in 30 days. If you set the RefusePasswordChange registry entry to a value of 1, the replication traffic will stop, but not the client traffic. If you set the DisablePasswordChange registry entry to a value of 1, both client and replication traffic will stop.

If you disable automatic machine account password changes, you can set up two (or more) installations of Windows NT or Windows 2000 on the same computer that use the same machine account. To do so, follow these steps:

  1. Install Windows NT or Windows 2000, and set up the computer as a workgroup member.
  2. Disable the automatic machine account password changes. To do so, set the DisablePasswordChange registry entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey to a value of 1.
  3. Restart the computer.
  4. Set up the machine account on the domain controller by using Server Manager on a Windows NT 4.0 domain controller, or by using Active Directory Users and Computers on a Windows 2000 domain controller.
  5. Join the computer to the domain.
  6. Perform a second installation of Windows NT or Windows 2000 in a separate directory, and set up the computer as a workgroup member.
  7. Repeat steps 2 through 3.

For additional information about the effects of machine account replication and about how to change the frequency of automatic machine account password changes, click the following article number to view the article in the Microsoft Knowledge Base:

175468 Effects of machine account replication on a domain


Keywords: kbhowto kbnetwork kbusage KB154501