WinSecWiki > Security Settings > Local Policies > Security Options > Domain Member > Maximum machine account password age

Domain Member: Maximum machine account password age

Each member computer has a computer account in the domain guarded by a password. When a member computer needs to communicate with the domain controller for certain security operations like NTLM authentication and account lookups by SID, the computer establishes a “secure channel” to the domain controller with its computer account password as the basis.

Windows computers periodically change account password similar to an end user. NT computers change their password every 7 days. Windows 2000 and later computers change it every 30 days by default but with this setting you can specify a different interval.

Bottom line

There’s no reason to configure this setting unless you need to lengthen the password change interval to reduce domain controller replication load.

Upcoming Webinars

Additional Resources

Domain Member

•	Digitally encrypt or sign secure channel data (always)
•	Digitally encrypt secure channel data (when possible)
•	Digitally sign secure channel data (when possible)
•	Disable machine account password changes
•	Maximum machine account password age
•	Require strong (Windows 2000 or later) session key

User name:
Password:
	/ Forgot?
	Register

April 2025 Patch Tuesday	"Patch Tuesday - One Zero Day! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.