JSI Tip 1710. Machine account password replication.

Every 7 days, a Windows NT Workstation that is part of a domain, changes it's secure channel password and sends it to a domain controller.

Prior to SP4, this information was replicated immediately. Starting with SP4, the replication waited for the next replication pulse.

If you have 1,000 workstations, a computer account would change every 10 minutes:

7 x 24 x 60 / 1000 = 10 minutes

A new registry entry allows configuration of the password change interval on a Workstation or BDC. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters

Add Value name MaximumPasswordAge as a type REG_DWORD. In the DWORD Editor, toggle the Decimal radix and enter the number of days. The default is 7 and the range is 1 to 1,000,000.

You can also disable the password change if you Add Value name DisablePasswordChange, also a REG_DWORD, and set it to 1.

You can also refuse the password change at the PDC by navigating to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters

Add Value name RefusePasswordChange, a type REG_DWORD, and set it to 1.

NOTE: In Windows 2000, default is 30 days.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish