How to Disable Automatic Machine Account Password Changes

• Microsoft Windows NT Server versions 3.51 and 4.0
• Microsoft Windows NT Workstation versions 3.51 and 4.0

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

SUMMARY

As a part of Windows NT security, machine account passwords are changed every seven days. This article describes how an administrator can disable automatic machine account password changes.

WARNING: By disabling machine account password changes, you are giving up some security because the secure channel is used for pass-through authentication. If someone discovers a password, he or she could potentially perform pass-through authentication to the domain controller.

MORE INFORMATION

You may want to disable weekly machine account password changes for any of the following reasons:

• You want to reduce replication occurrences. As a side effect of automatic machine account password changes, a domain with a large number of computers and domain controllers could cause replication to occur on a frequent basis. Disabling automatic machine account password changes reduces replication occurrences.
• You have two separate installations of Windows NT on the same computer in a dual-boot configuration. In this case, the only way to share the same machine account between the two installations of Windows NT is to use the default machine account password created when you join the domain.
• If you perform a clean installation of Windows NT often, you need an administrator on the domain who can create the machine account on the domain. If that is a problem, you can simply leave the password of the machine account as the default.

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
   Parameters

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
   Parameters

NOTE: After the first attempt to change the password, setting RefusePasswordChange to 1 prevents the workstation from further attempts to change the password (by returning a distinct status code), but the workstation will try again in one week. Setting RefusePasswordChange to 1 stops the replication traffic, but not the client traffic. Setting DisablePasswordChange to 1 stops both client and replication traffic.

By disabling automatic machine account password changes, you can set up two (or more) installations of Windows NT on the same computer using the same machine account. To do this, use the following steps:

1. Install Windows NT, and set up the computer as a workgroup member.

2. Disable the automatic machine account password changes by changing the registry key listed above.

3. Restart the computer.

4. Set up the machine account on the domain controller using Server Manager.

5. Join the domain using the Network tool in Control Panel.

6. Perform a second installation of Windows NT in a separate directory, and set up the computer as a workgroup member.

7. Repeat steps 2-3.