Configuring Win2K Machine Passwords

How can I influence machine password-related change behavior in a Windows 2000 environment?

In a Windows domain environment, machine security principals have passwords, just as user security principals do. Many people often forget this fact because you can't directly address a machine’s password from the Windows GUI—most machine password-related maintenance tasks occur automatically without administrator intervention. Win2K changes machine passwords automatically every 30 days. Unlike changes you make to user passwords, you can't reset a machine’s password from the Windows GUI. However, you can use the Netdom command-line tool with the /resetpwd switch (this tool comes with Win2K Support Tools) to force a machine password change. When you use Netdom, Win2K writes a copy of the new password to the Local Security Authority (LSA) database and to the domain credential database in Active Directory (AD).

Win2K also includes several Group Policy Object (GPO) settings you can use to change the machine password update behavior. Table 1 lists the GPO settings and corresponding registry hacks. All registry subkeys are in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters subkey. You can either use the GPO setting or change the registry setting manually.

One of the registry hacks lets you disable machine password changes. From a security point of view, disabling password changes is obviously a bad idea because doing so makes machines more vulnerable to intruder attacks.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.