Domain member: Disable machine account password changes

Information

Domain member: Disable machine account password changes

Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.

Default: Disabled.

Notes

This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.

Solution

Policy Path: Security Options
Policy Setting Name: Domain member: Disable machine account password changes

See Also

https://blogs.technet.microsoft.com/secguide/2018/04/30/security-baseline-for-windows-10-april-2018-update-v1803-final/

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5g., CSCv6|16

Plugin: Windows

Control ID: bb41adec5eee62d93556ae2ed737e955d2b90e5ea2248e40135b30c4bcbab608