Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Effects of machine account replication on a domain
Article ID: 175468 - View products that this article applies to.
This article was previously published under Q175468
Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows
For each Windows computer that is a member of a domain, there is a discrete communication channel with a domain controller.
Note An example of a discrete communication channel is the security channel.
The security channel's password is stored together with the computer account on the primary domain controller (PDC), and is replicated to all backup domain controllers (BDCs). The password is also in LSA secret $MACHINE.ACC of the workstation. Each workstation owns such secret data.
Every seven days, the workstation sends a security channel password change and the computer account password is updated. If the primary domain controller (PDC) is running Windows NT 4.0 Service Pack 3 or earlier, the computer account password changes are marked as "Announce Immediate" and every time a computer account password is modified, a replication occurs immediately. If the PDC is running Windows NT 4.0 Service Pack 4 or a later version, the computer account is replicated during the next replication pulse.
For Microsoft Windows 2000 and later versions, the default computer account password change is 30 days. Also, these operating systems can change the password against any writable domain controller.
Windows NT 4.0To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/152734/EN-US/ )How to Obtain the Latest Windows NT 4.0 Service Pack
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
There are two workarounds for this issue.
Method 1To work around this issue, add the following registry parameter on all Windows NT workstations:
Key = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = DisablePasswordChange REG_DWORD 1 Default = 0
This will prevent workstations from changing passwords. You can add this registry value after having joining the domain and restarting so that the computer account password would have at least been changed one time with a random value that is known only by the system.
Method 2To work around this issue, refuse passwords that are changed at domain controller level. To do this, add the following registry value on all domain controllers: Key = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = RefusePasswordChange REG_DWORD 1 Default = 0 For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/154501/ )How to disable automatic machine account password changes
Windows XP and later versionsIn Windows XP and later versions, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:
Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
Article ID: 175468 - Last Review: September 11, 2011 - Revision: 6.0