Disable Secure Channel Password and Trust Password Changes


When a PC joins a Windows NT domain, a password is created for the PC to
authenicate itself to the domain. The password and communication is called a
secure channel. This password is changed every 7 days
for NT and every 30 days for NT2000. We have had occasional problems with
Windows NT member servers losing their secure channel. The PDC will disable the
secure channel if the PC misses the change period twice.

When a trust is set up between Windows NT domains, a trust
password
is setup with the Trusting domain using a password and the
Trusted domain has the trust password in its SAM. Both trust passwords and
secure channel passwords can and do get out of synch. When this happens for
trusts, the ability to authenication trusted users fails. When this happens to
member servers, the domain netlogon service gets disabled and one can only login
with a local account and access to resources fail due to failed authenication
channel. These secret password problems can be resolved by Netdom .

If these problems become frequent due to network instabilities, you can make
the passwords static, that is disable the periodic changes. To disable password
changes apply to domain controller ( trusted ):

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Name: RefusePasswordChange

Type: REG_DWORD
Value: 1


You can also extend the number of days between changes by
applying to domain controllers and workstations (sounds like a LOT of work):

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Name: MaximumPasswordAge

Type: REG_DWORD
Value: #days
up to 1,000,000



Related articles:
Effects of
Machine Account Replication on a Domain

Secure
Channel Manipulation with TCP/IP

Inter-Domain
Trust Account Passwords


IF you do a search on Microsoft, there are many articles on secure channels
and trust passwords.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top