Disable Secure Channel Password and Trust Password Changes

When a PC joins a Windows NT domain, a password is created for the PC to
authenicate itself to the domain. The password and communication is called a
secure channel. This password is changed every 7 days
for NT and every 30 days for NT2000. We have had occasional problems with
Windows NT member servers losing their secure channel. The PDC will disable the
secure channel if the PC misses the change period twice.

When a trust is set up between Windows NT domains, a trust
is setup with the Trusting domain using a password and the
Trusted domain has the trust password in its SAM. Both trust passwords and
secure channel passwords can and do get out of synch. When this happens for
trusts, the ability to authenication trusted users fails. When this happens to
member servers, the domain netlogon service gets disabled and one can only login
with a local account and access to resources fail due to failed authenication
channel. These secret password problems can be resolved by Netdom .

If these problems become frequent due to network instabilities, you can make
the passwords static, that is disable the periodic changes. To disable password
changes apply to domain controller ( trusted ):

Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Name: RefusePasswordChange

Value: 1

You can also extend the number of days between changes by
applying to domain controllers and workstations (sounds like a LOT of work):

Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Name: MaximumPasswordAge

Value: #days
up to 1,000,000

Related articles:
Effects of
Machine Account Replication on a Domain

Channel Manipulation with TCP/IP

Trust Account Passwords

IF you do a search on Microsoft, there are many articles on secure channels
and trust passwords.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top