You are currently offline, waiting for your internet to reconnect

Effects of machine account replication on a domain

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q175468
Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.
SYMPTOMS
For each Windows computer that is a member of a domain, there is adiscrete communication channel with adomain controller.

Note An example of a discrete communication channel is the security channel.

The security channel's password is stored together with the computer account onthe primary domain controller (PDC), and is replicated to all backup domaincontrollers (BDCs). The password is also in LSA secret $MACHINE.ACC of theworkstation. Each workstation owns such secret data.

Every seven days, the workstation sends a security channel password change and the computer account password is updated. If the primary domain controller (PDC) is running Windows NT 4.0 Service Pack 3 or earlier, the computer account password changes are marked as "Announce Immediate" and every time a computer account password is modified, a replication occurs immediately. If the PDC is running Windows NT 4.0 Service Pack 4 or a later version, the computer account is replicated during the next replication pulse.


For Microsoft Windows 2000 and later versions, the default computer account password change is 30 days. Also, these operating systems can change the password against any writable domain controller.
RESOLUTION

Windows NT 4.0

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


There are two workarounds for this issue.

Method 1

To work around this issue, add the following registry parameter onall Windows NT workstations:
   Key     = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters   Value   = DisablePasswordChange REG_DWORD 1   Default = 0				

This will prevent workstations from changing passwords. You can add this registry valueafter having joining the domain and restarting so that thecomputer account password would have at least been changed one time with arandom value that is known only by the system.

Method 2

To work around this issue, refuse passwords that are changed at domaincontroller level. To do this, add the following registryvalue on all domain controllers: Key = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = RefusePasswordChange REG_DWORD 1 Default = 0 For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
154501 How to disable automatic machine account password changes

Windows XP and later versions

In Windows XP and later versions, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:
  1. Click Start, click Run, type Gpedit.msc, and then press ENTER.
  2. Expand Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Settings, expand Local Policies, and then expand Security Options.
  3. Configure the following settings:
    • Domain Member: Disable machine account password changes (DisablePasswordChange)
    • Domain Member: Maximum machine account password age (MaximumPasswordAge)
    • Domain Controller: Refuse machine account password changes (RefusePasswordChange)

MaximumPasswordAge has a default value of 30. The Group Policy user interface allows for a maximum value of 999 days, and the component allows for a maximum of 1,000,000 days through the registry. 
STATUS
Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
registry regedit regedt32
Properties

Article ID: 175468 - Last Review: 09/11/2011 04:48:00 - Revision: 6.0

Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Business, Windows Vista Business 64-bit Edition, Windows Vista Business N, Windows Vista Business N 64-bit Edition, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Basic N, Windows Vista Home Basic N 64-bit Edition, Windows Vista Home Premium, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista Starter, Windows Vista Ultimate, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Foundation, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Datacenter without Hyper-V, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Enterprise without Hyper-V, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Standard without Hyper-V, Windows Server 2008 Service Pack 2, Windows Server 2008 Standard without Hyper-V, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows 7 Enterprise, Windows 7 Enterprise N, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Home Premium N, Windows 7 Professional, Windows 7 Professional N, Windows 7 Service Pack 1, Windows 7 Starter, Windows 7 Starter N, Windows 7 Ultimate, Windows 7 Ultimate N

  • kbhotfixserver kbqfe kbbug kbfix KB175468
Feedback
e="display:none;" onerror="var m=document.createElement('meta');m.name='ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?">