Machine Account Password Changes

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Machine account passwords are changed every seven days automatically. Do not disable this behavior if security is important in your organization. By disabling machine account password changes, you are giving up some security because this secure channel is used for pass-through authentication. Apply the following change to each BDC and then the PDC (order is critical). This change refuses password change requests from Windows NT Workstations (or Windows NT Member Servers) running Windows NT version 4.0 or later.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon
Name: RefusePasswordChange
Type: REG_DWORD
Value: 1
After the first attempt to change the password, setting RefusePasswordChange prevents the workstation from further attempts to change the password (by returning a distinct status code), but the workstation will try again in one week. Setting RefusePasswordChange stops the replication traffic, but not the client traffic. Setting DisablePasswordChange to 1 on all client computers stops both client and replication traffic. Hacking Exposed - Second Edition

See Also

Featured Links