MORE INFORMATION

You may want to disable the default automatic machine account password changes for any one of the following reasons:

• You want to reduce replication occurrences. As a side effect of automatic machine account password changes, a domain with many client computers and domain controllers can cause replication to occur on a frequent basis. You can disable automatic machine account password changes to reduce replication occurrences.
• You have two separate installations of Windows NT or Windows 2000 on the same computerin a dual-boot configuration. In this case, the only way to share the same machine account between the two installations of Windows NT or Windows 2000 is to use the default machine account password that is created when you join the domain.
• If you frequently perform a clean installation of Windows NT or Windows 2000, you must have an administrator on the domain that can create the machine account on the domain. If that is a problem, you can leave the password of the machine account as the default.

In Windows NT versions 3.51 and later and in Windows 2000, you can disable the machine account password changes on a workstation by setting the DisablePasswordChange registry entry to a value of 1. To do so, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. In the right pane, click the DisablePasswordChange entry.
4. On the Edit menu, click Modify.
5. In the Value data box, type a value of 1, and then click OK.
6. Quit Registry Editor.

In Windows NT version 4.0 and Windows 2000, you can disable the machine account password change by setting the RefusePasswordChange registry entry to a value of 1 on all domain controllers in the domain instead of on all workstations. To do so, follow these steps.

Note On Windows NT 4.0 domain controllers, you must change the RefusePasswordChange registry entry to a value of 1 on all backup domain controllers (BDCs) in the domain before you make the change on the primary domain controller (PDC). Failure to follow this order will cause event ID 5722 to be logged in the event log of the PDC.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. On the Edit menu, point to New, and then click DWORD Value.
4. Type RefusePasswordChange as the registry entry name, and then press ENTER.
5. On the Edit menu, click Modify.
6. In the Value data box, type a value of 1, and then click OK.
7. Quit Registry Editor.

Note The RefusePasswordChange registry entry causes the domain controller to refuse password change requests only from workstations or member servers that run Windows NT version 4.0 or later.

If you set the RefusePasswordChange registry entry to a value of 1, after the workstation or member server first tries to change its machine account password, future attempts to change the password are prevented (by returning a distinct status code). A Windows NT 4.0-based computer will try to change its machine account password again in seven days, and a Windows 2000-based computer will try again in 30 days. If you set the RefusePasswordChange registry entry to a value of 1, the replication traffic will stop, but not the client traffic. If you set the DisablePasswordChange registry entry to a value of 1, both client and replication traffic will stop.

If you disable automatic machine account password changes, you can set up two (or more) installations of Windows NT or Windows 2000 on the same computer that use the same machine account. To do so, follow these steps:

1. Install Windows NT or Windows 2000, and set up the computer as a workgroup member.
2. Disable the automatic machine account password changes. To do so, set the DisablePasswordChange registry entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey to a value of 1.
3. Restart the computer.
4. Set up the machine account on the domain controller by using Server Manager on a Windows NT 4.0 domain controller, or by using Active Directory Users and Computers on a Windows 2000 domain controller.
5. Join the computer to the domain.
6. Perform a second installation of Windows NT or Windows 2000 in a separate directory, and set up the computer as a workgroup member.
7. Repeat steps 2 through 3.

For additional information about the effects of machine account replication and about how to change the frequency of automatic machine account password changes, click the following article number to view the article in the Microsoft Knowledge Base: