Machine Account Password Changes
Machine account passwords are changed every seven days automatically. Do not
disable this behavior if security is important in your organization. By
disabling machine account password changes, you are giving up some security
because this secure channel is used for pass-through authentication. Apply the
following change to each BDC and then the PDC (order is critical). This change
refuses password change requests from Windows NT Workstations (or Windows NT
Member Servers) running Windows NT version 4.0 or later.
After the first attempt to change the password,
setting RefusePasswordChange prevents the workstation
from further attempts to change the password (by returning a distinct status
code), but the workstation will try again in one week. Setting RefusePasswordChange stops the replication traffic, but not
the client traffic. Setting DisablePasswordChange to 1
on all client computers stops both client and replication traffic.