WinSecWiki > Security Settings > Local Policies > Security Options > Domain Controller > Refuse machine account password changes

Domain Controller: Refuse machine account password changes

Each member computer has a computer account in the domain guarded by a password. When a member computer needs to communicate with the domain controller for certain security operations like NTLM authentication and account lookups by SID, the computer establishes a “secure channel” to the domain controller with its computer account password as the basis.

Windows computers periodically change account password similar to an end user. NT computers change their password every 7 days. Windows 2000 and later computers change it every 30 days by default but you can change this with “Domain Member: Maximum machine account password age”.

This domain controller level setting, if enabled, causes domain controllers to refuse password change attempts from member computers.

Bottom line

Don’t enable this setting unless you are experience problems with computer’s losing their trust/membership in the domain. Even then, this just treats the symptom; if you are having trust problems between member computers and the domain controller there’s something else wrong.

Upcoming Webinars

Additional Resources

Domain Controller

•	Allow server operators to schedule tasks
•	LDAP server signing requirements
•	Refuse machine account password changes

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.