MaximumPasswordAge DisablePasswordChange On Client Computers

by [Published on 27 Jan. 2010 / Last Updated on 31 May 2009]

This article explains how a domain client computer changes its password with the domain controller.

By default, a computer must update its Computer Password with domain controller within the 30 days specified in the registry. This is required to establish the secure channel between the client computer and the domain. If a computer is not able to update its password in the domain within the 30 days then the computer cannot participate in the domain or access the resources.

You need to check the following registry entries to make sure computer is able to sync its password with the domain:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon

MaximumPasswordAge

Default value for this entry is 30 days. A computer must update its computer password with its authenticator (domain controller) within the specified days. If this entry is 0 then password is never updated.

DisablePasswordChange

The default value of this entry is 0(disabled). If this is 1 then domain computer can't update its password automatically. You must manually update computer account's password.

 

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.

Featured Links