Networking

Change computer account passwords in Windows NT

Learn three ways you can disable the automatic password changes on your Windows NT machine.

Joining a Windows NT machine to a Windows NT domain creates a special trust relationship (a "secured channel") between the domain and the computer. The computer receives a special computer account in the domain and a matching password. It uses this combination to authenticate to the domain controllers.

The operating system manages this password (not the administrator), and it changes the password every seven days. But problems can arise if the OS can't change the password on your computer. This can happen if you don't connect your machine to the network for seven days.

For example, say you take your laptop with you on a 14-day business trip. When you come back, you won't be able to log in because your computer didn't receive the new password.

If your computer doesn't receive the new password, follow these steps:

  1. Remove the computer account from the domain, and resync the domain.
  2. Remove the computer from the domain.
  3. Restart the computer, and add it to the domain again.

You can also disable the automatic password changes. You have three options: from the client side, from the server side, or from both.


Get the TR Blog Roundup

Find out who's offering the best advice, the quirkiest comments, and the most compelling life stories every week with TechRepublic's Blog Roundup. Click here to automatically sign up to receive it every Wednesday.

Use tags to find blog posts about Windows and security.


To disable automatic password changes on the client side, open the Registry Editor by going to Start | Run and typing regedt32.exe. Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Change the DisablePasswordChange registry entry to 1. You must make this change on each computer where you want to prevent automatic password changes.

To prevent automatic password changes on the server side, open the Registry Editor, and navigate to the same key. Change the RefusePasswordChange registry entry to 1 on all domain controllers in the domain. Make the change to the backup domain controllers first and then to the primary domain controller.

Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox