This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password change requests. If it is enabled, this setting does not allow a domain controller to accept any changes to a computer account's password. Default: This policy is not defined, which means that the system treats it as Disabled. Vulnerability: If you enable this policy setting on all domain controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack. Counter Measure: Disable the Domain controller: Refuse machine account password changes setting. Potential Impact: None. This is the default configuration. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Refuse machine account password changes (2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters!RefusePasswordChange

[enable/disable]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Refuse machine account password changes (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters!RefusePasswordChange