Effects of machine account replication on a domain (175468)


The information in this article applies to:

  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
This article was previously published under Q175468
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

For each Windows computer that is a member of a domain, there is a discrete communication channel with a domain controller.

Note An example of a discrete communication channel is the security channel.

The security channel's password is stored together with the computer account on the primary domain controller (PDC), and is replicated to all backup domain controllers (BDCs). The password is also in LSA secret $MACHINE.ACC of the workstation. Each workstation owns such secret data.

Every seven days, the workstation sends a security channel password change and the computer account password is updated. If the primary domain controller (PDC) is running Windows NT 4.0 Service Pack 3 or earlier, the computer account password changes are marked as "Announce Immediate" and every time a computer account password is modified, a replication occurs immediately. If the PDC is running Windows NT 4.0 Service Pack 4 or a later version, the computer account is replicated during the next replication pulse.


For Windows 2000, Windows XP and Windows Server 2003, the default computer account password change is 30 days.

RESOLUTION

Windows NT 4.0

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack



Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

There are two workarounds for this issue.

Method 1

To work around this issue, add the following registry parameter on all Windows NT workstations: 
   Key     = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
   Value   = DisablePasswordChange REG_DWORD 1
   Default = 0

This will prevent workstations from changing passwords. You can add this registry value after having joining the domain and restarting so that the computer account password would have at least been changed one time with a random value that is known only by the system.

Method 2

To work around this issue, refuse passwords that are changed at domain controller level. To do this, add the following registry value on all domain controllers: Key = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = RefusePasswordChange REG_DWORD 1 Default = 0 For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

154501 How to disable automatic machine account password changes

Windows XP and Windows Server 2003

In Microsoft Windows XP and later versions, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:
  1. Click Start, click Run, type Gpedit.msc, and then press ENTER.
  2. Expand Local Computer Policy, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Settings, expand Local Policies, and then expand Security Options.
  3. Configure the following settings:
    • Domain Member: Disable machine account password changes (DisablePasswordChange)
    • Domain Member: Maximum machine account password age (MaximumPasswordAge)
    • Domain Controller: Refuse machine account password changes (RefusePasswordChange)

STATUS

Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
Modification Type:MinorLast Reviewed:9/23/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix KB175468
©2004 Microsoft Corporation. All rights reserved.