Machine Account Password Changes


Machine account passwords are changed every seven days automatically. Do not
disable this behavior if security is important in your organization. By
disabling machine account password changes, you are giving up some security
because this secure channel is used for pass-through authentication. Apply the
following change to each BDC and then the PDC (order is critical). This change
refuses password change requests from Windows NT Workstations (or Windows NT
Member Servers) running Windows NT version 4.0 or later.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon

Name: RefusePasswordChange
Type: REG_DWORD
Value: 1
After the first attempt to change the password,
setting RefusePasswordChange prevents the workstation
from further attempts to change the password (by returning a distinct status
code), but the workstation will try again in one week. Setting RefusePasswordChange stops the replication traffic, but not
the client traffic. Setting DisablePasswordChange to 1
on all client computers stops both client and replication traffic. Hacking Exposed – Second Edition

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top