WinSecWiki > Security Settings > Local Policies > Security Options > Domain Member > Disable machine account password changes

Domain Member: Disable machine account password changes

Each member computer has a computer account in the domain guarded by a password. When a member computer needs to communicate with the domain controller for certain security operations like NTLM authentication and account lookups by SID, the computer establishes a “secure channel” to the domain controller with its computer account password as the basis.

Windows computers periodically change account password similar to an end user. NT computers change their password every 7 days. Windows 2000 and later computers change it every 30 days by default but you can change this with “Domain Member: Maximum machine account password age”.

This setting, if enabled, stops this computer from going about its normal, periodic password change cycle. 

Bottom line

Don’t enable this setting unless you are experience problems with this computer losing its trust/membership in the domain. Even then, this just treats the symptom; if you are having trust problems between member computers and the domain controller there’s something else wrong.

Back to top

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources