WinSecWiki > Security Settings > Local Policies > Security Options > Domain Controller > Refuse machine account password changes

Domain Controller: Refuse machine account password changes

Each member computer has a computer account in the domain guarded by a password. When a member computer needs to communicate with the domain controller for certain security operations like NTLM authentication and account lookups by SID, the computer establishes a “secure channel” to the domain controller with its computer account password as the basis.

Windows computers periodically change account password similar to an end user. NT computers change their password every 7 days. Windows 2000 and later computers change it every 30 days by default but you can change this with “Domain Member: Maximum machine account password age”.

This domain controller level setting, if enabled, causes domain controllers to refuse password change attempts from member computers. 

Bottom line

Don’t enable this setting unless you are experience problems with computer’s losing their trust/membership in the domain. Even then, this just treats the symptom; if you are having trust problems between member computers and the domain controller there’s something else wrong.

Back to top


Upcoming Webinars
    Additional Resources