Joining a Windows NT machine to a Windows NT
domain creates a special trust relationship (a “secured channel”)
between the domain and the computer. The computer receives a
special computer account in the domain and a matching password. It
uses this combination to authenticate to the domain
controllers.

The operating system manages this password (not
the administrator), and it changes the password every seven days.
But problems can arise if the OS can’t change the password on your
computer. This can happen if you don’t connect your machine to the
network for seven days.

For example, say you take your laptop with you
on a 14-day business trip. When you come back, you won’t be able to
log in because your computer didn’t receive the new password.

If your computer doesn’t receive the new
password, follow these steps:

  1. Remove the computer account from the domain,
    and resync the domain.
  2. Remove the computer from the domain.
  3. Restart the computer, and add it to the
    domain again.

You can also disable the automatic password
changes. You have three options: from the client side, from the
server side, or from both.


Get the TR Blog Roundup

Find out who’s offering the best advice, the quirkiest comments, and the most compelling life stories every week with TechRepublic’s Blog Roundup. Click here to automatically sign up to receive it every Wednesday.

Use tags to find blog posts about Windows and security.


To disable automatic password changes on the
client side, open the Registry Editor by going to Start | Run and
typing regedt32.exe. Navigate to the following key:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Change the DisablePasswordChange registry entry
to 1. You must make this change on each computer where you want to
prevent automatic password changes.

To prevent automatic password changes on the
server side, open the Registry Editor, and navigate to the same
key. Change the RefusePasswordChange registry entry to 1 on all
domain controllers in the domain. Make the change to the backup
domain controllers first and then to the primary domain
controller.

Note: Editing the registry
is risky, so be sure you have a verified backup before making any
changes.