9/19/2007 -- When a trust relationship is created between domains, a password is used to create the trust. This password is periodically changed on both sides for security reasons.
Similarly, when workstations join a domain, they establish a secure channel with the domain controller. Both sides use a password to create this channel and then automatically change this password every seven days on NT workstations and every 30 days on Windows 2000 and Windows XP workstations.
The passwords can sometimes get out of synch under certain situations, such as when workstations get turned off for an extended period of time.
If you want to disable password change, you'll need to modify the registry. Here's the procedure:
- Start the registry editor, regedit.exe.
- Go to HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
- In the right-hand pane, double-click DisablePasswordChange and set the Value data to decimal 1.
If you would like to change the maximum password age (default is 30 days on Win2K and WinXP), you can modify the parameter MaximumPasswordAge in the same registry location as described above in Step 2. This value exists by default on Win2K and WinXP clients. On NT4 clients, it only exists if you are using SP4 or later.
If the value doesn't exist, you can add a new DWORD value called MaximumPasswordAge and then set it to 1. The valid range for this value is between 1 and 1,000,000.
|