Disable Secure Channel Password and Trust Password Changes

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

When a PC joins a Windows NT domain, a password is created for the PC to authenicate itself to the domain. The password and communication is called a secure channel. This password is changed every 7 days for NT and every 30 days for NT2000. We have had occasional problems with Windows NT member servers losing their secure channel. The PDC will disable the secure channel if the PC misses the change period twice.

When a trust is set up between Windows NT domains, a trust password is setup with the Trusting domain using a password and the Trusted domain has the trust password in its SAM. Both trust passwords and secure channel passwords can and do get out of synch. When this happens for trusts, the ability to authenication trusted users fails. When this happens to member servers, the domain netlogon service gets disabled and one can only login with a local account and access to resources fail due to failed authenication channel. These secret password problems can be resolved by Netdom .

If these problems become frequent due to network instabilities, you can make the passwords static, that is disable the periodic changes. To disable password changes apply to domain controller ( trusted ):

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Name: RefusePasswordChange
Type: REG_DWORD
Value: 1

You can also extend the number of days between changes by applying to domain controllers and workstations (sounds like a LOT of work):

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Name: MaximumPasswordAge
Type: REG_DWORD
Value: #days up to 1,000,000

Related articles:
Effects of Machine Account Replication on a Domain
Secure Channel Manipulation with TCP/IP
Inter-Domain Trust Account Passwords

IF you do a search on Microsoft, there are many articles on secure channels and trust passwords.

See Also

Featured Links