How to disable automatic machine account password changes

Article translations Article translations
Article ID: 154501 - View products that this article applies to.
This article was previously published under Q154501
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

SUMMARY

On a Microsoft Windows computer running any of the following operating systems:

  • Windows NT-based computers
  • Windows 2000
  • Windows XP (excluding home editions)
  • Windows Server 2003 (excluding web editions)
  • Windows Server 2003 R2 (excluding web editions)
  • Windows Vista (excluding home and starter editions)
  • Windows 7 (excluding home and starter editions)
  • Windows Server 2008 (excluding web editions)
  • Windows Server 2008 R2 (excluding web editions)

Machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days. This article describes how an administrator can disable automatic machine account password changes. 

Warning If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller.

MORE INFORMATION

You may want to disable the default automatic machine account password changes for any one of the following reasons:
  • You want to reduce replication occurrences. As a side effect of automatic machine account password changes, a domain with many client computers and domain controllers can cause replication to occur on a frequent basis. You can disable automatic machine account password changes to reduce replication occurrences.
  • You have two separate installations of Windows NT or Windows 2000 on the same computerin a dual-boot configuration. In this case, the only way to share the same machine account between the two installations of Windows NT or Windows 2000 is to use the default machine account password that is created when you join the domain.
  • If you frequently perform a clean installation of Windows NT or Windows 2000, you must have an administrator on the domain that can create the machine account on the domain. If that is a problem, you can leave the password of the machine account as the default.
In Windows NT versions 3.51 and later and in Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008 and Windows Server 2008 R2, you can disable the machine account password changes on a workstation by setting the 
DisablePasswordChange
registry entry to a value of 1. To do so, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. In the right pane, click the
    DisablePasswordChange
    entry.
  4. On the Edit menu, click Modify.
  5. In the Value data box, type a value of 1, and then click OK.
  6. Quit Registry Editor.
In Windows NT version 4.0 and Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, you can disable the machine account password change by setting the 
RefusePasswordChange
registry entry to a value of 1 on all domain controllers in the domain instead of on all workstations. To do so, follow these steps.

Note On Windows NT 4.0 domain controllers, you must change the
RefusePasswordChange
registry entry to a value of 1 on all backup domain controllers (BDCs) in the domain before you make the change on the primary domain controller (PDC). Failure to follow this order will cause event ID 5722 to be logged in the event log of the PDC.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. Start Registry Editor. To do so, click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type RefusePasswordChange as the registry entry name, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type a value of 1, and then click OK.
  7. Quit Registry Editor.
Note The
RefusePasswordChange
registry entry causes the domain controller to refuse password change requests only from workstations or member servers that run Windows NT version 4.0 or later.

If you set the
RefusePasswordChange
registry entry to a value of 1, after the workstation or member server first tries to change its machine account password, future attempts to change the password are prevented (by returning a distinct status code). A Windows NT 4.0-based computer will try to change its machine account password again in seven days, and a Windows 2000-based computer will try again in 30 days. If you set the
RefusePasswordChange
registry entry to a value of 1, the replication traffic will stop, but not the client traffic. If you set the
DisablePasswordChange
registry entry to a value of 1, both client and replication traffic will stop.

If you disable automatic machine account password changes, you can set up two (or more) installations of Windows NT or Windows 2000 on the same computer that use the same machine account. To do so, follow these steps:
  1. Install Windows NT or Windows 2000, and set up the computer as a workgroup member.
  2. Disable the automatic machine account password changes. To do so, set the
    DisablePasswordChange
    registry entry in the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    registry subkey to a value of 1.
  3. Restart the computer.
  4. Set up the machine account on the domain controller by using Server Manager on a Windows NT 4.0 domain controller, or by using Active Directory Users and Computers on a Windows 2000 domain controller.
  5. Join the computer to the domain.
  6. Perform a second installation of Windows NT or Windows 2000 in a separate directory, and set up the computer as a workgroup member.
  7. Repeat steps 2 through 3.
For additional information about the effects of machine account replication and about how to change the frequency of automatic machine account password changes, click the following article number to view the article in the Microsoft Knowledge Base:
175468 Effects of machine account replication on a domain

Properties

Article ID: 154501 - Last Review: April 14, 2011 - Revision: 2.5
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 for Itanium-Based Systems
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Standard without Hyper-V
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate
  • Windows Vista Ultimate 64-bit Edition
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
Keywords: 
kbhowto kbnetwork kbusage KB154501

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com