Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
This step-by-step article describes how to prevent users from changing their password except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows 2000 Security scheme. You can use a Windows 2000 Group Policy to set minimum and maximum password ages. A minimum password age prevents users from changing passwords too frequently. Frequent password changes can be used by users to circumvent a password-history setting and lead to more calls to the help desk because of forgotten passwords.
How to Configure a System Prompt Requirement to Change Passwords
Users can change their password during the time period between the minimum and maximum password ages. Your security design may require that users only change their passwords when they are prompted by the operating system at the maximum password age. You can configure Windows 2000 to allow users to change their passwords only when the operating system prompts them to do so.
You can implement this configuration for an entire domain by using a Group Policy or you can implement this configuration for one or more specific users by using the registry.
How to Configure a Site, Domain, or Organizational Unit to Require a System Prompt to Change Passwords
Start the Active Directory Users and Computers snap-in by using the Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, click Add, click Active Directory Users and Computers, click Add, click Close, and then click OK. The snap-in should now be visible in the left pane of your console.
Expand the snap-in, and right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
Click the Group Policy tab, click the Group Policy Object (GPO) you want to work with, and then click Edit. If there are no existing policies listed in the window, click New to create a new policy that you can choose a name for, and then click Edit.
Expand the policy, and then expand the User Configuration node. Expand the Administrative Templates node, and then expand the System node.
Click the Logon/Logoff node.
Right-click the Disable Change Password policy, and then click Properties.
On the Policy tab, click the Enabled option, and then click OK.
Close the Group Policy windows, and then quit the Active Directory Users and Computers console.
At a command prompt, type secedit /refreshpolicy user_policy /enforce, and then press ENTER to update the policy.
NOTE: By default, policies that are applied to either users or computers at the domain level will apply to all users and/or all computers, in the domain. By default, the application of a policy to organizational units will apply to all user accounts and/or machine accounts that reside in that organizational unit, and any sub-organizational unit that may exist. A user account must either be moved into, or be created in, that organizational unit for it to apply. Just adding security groups that a user may be a member of to an organizational unit will not apply the policy to that user.