Each member of a domain has a machine account password that automatically changes every 30 days for Windows 2000 and later OSs and every seven days for Windows NT-based computers. This time interval of password change for Windows XP and later versions can be configured via Group Policy, if needed, at the Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options branch. Three settings in particular are of interest:
- Domain Member: Disable machine account password changes (DisablePasswordChange)
- Domain Member: Maximum machine account password age (MaximumPasswordAge)
- Domain Controller: Refuse machine account password changes (RefusePasswordChange), as the figure shows. Machines that fail to change their passwords after 60 days can no longer communicate with the domain.