IN THIS TASK
- How to Configure the System to Prevent Users from Changing Passwords Unless Prompted
Centralized control of user passwords is a cornerstone of a well-crafted Windows security scheme. You can use Group Policy to set minimum and maximum password ages. A minimum password age prevents users from changing passwords too frequently. Frequent password changes can be used by users to circumvent a password-history setting. They may also lead to more calls to the help desk because of forgotten passwords.
Change Password option in the Windows Security dialog box that appears when you press CTRL+ALT+DELETE.
You can implement this configuration for a whole domain by using a Group Policy, or you can implement this configuration for one or more specific users by editing the registry.
How to Configure a Site, Domain, or Organizational Unit to Prevent Users from Changing Passwords Unless Prompted
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
- Click the Group Policy tab.
- Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
- Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
- Click Ctrl+Alt+Del Options.
- In the right pane, double-click Remove Change Password.
- Click Enabled, and then click OK.
- Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
- Click Start, and then click Run.
- Type cmd in the Open box, and then click OK.
- At the command prompt, type the following line, and then press ENTER:gpupdate /target:user /force
- Type exit to close the command prompt.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
- Click Start, and then click Run.
- Type regedit in the Open box, and then click OK.
- Locate the following registry key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
- Click the System subkey, if it exists. If the key does not exist, create it. To do this:
- Click the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies key.
- On the Edit menu, point to New, and then click Key.
- Name the new key System. To do this, type System, and then press ENTER.
- Click the System key that you created.
- On the Edit menu, point to New, and then click DWORD Value.
- Name the new value
DisableChangePassword. To do this, type
DisableChangePassword, and then press ENTER.
- Double-click the DisableChangePassword value that you created. Type 1 in the
Value data box, and then click OK.
- Quit Registry Editor.
- Press CTRL+ALT+DELETE, and then verify that the Change Password option is unavailable (appears dimmed) in the Windows Security dialog box that appears.
Article ID: 324744 - Last Review: Mar 15, 2008 - Revision: 1