How To Prevent Users from Changing a Password Except When Required in Windows Server 2003 (324744)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q324744
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

For a Microsoft Windows 2000 version of this article, see 309799.

IN THIS TASK

SUMMARY

This step-by-step article describes how to prevent users from changing their passwords except when they are required to do so.

Centralized control of user passwords is a cornerstone of a well-crafted Windows security scheme. You can use Group Policy to set minimum and maximum password ages. A minimum password age prevents users from changing passwords too frequently. Frequent password changes can be used by users to circumvent a password-history setting. They may also lead to more calls to the help desk because of forgotten passwords.

back to the top

How to Configure the System to Prevent Users from Changing Passwords Unless Prompted

Users can change their passwords during the period between the minimum and maximum password age settings. Your security design may require that users change their passwords only when they are prompted by the operating system at the maximum password age. You can configure Windows to permit users to change their passwords only when the operating system prompts them to do so. To prevent users from changing their passwords (except when required), disable the Change Password option in the Windows Security dialog box that appears when you press CTRL+ALT+DELETE.

You can implement this configuration for a whole domain by using a Group Policy, or you can implement this configuration for one or more specific users by editing the registry.

back to the top

How to Configure a Site, Domain, or Organizational Unit to Prevent Users from Changing Passwords Unless Prompted

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
  3. Click the Group Policy tab.
  4. Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
  5. Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
  6. Click Ctrl+Alt+Del Options.
  7. In the right pane, double-click Remove Change Password.
  8. Click Enabled, and then click OK.
  9. Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
  10. Click Start, and then click Run.
  11. Type cmd in the Open box, and then click OK.
  12. At the command prompt, type the following line, and then press ENTER:

    gpupdate /target:user /force

  13. Type exit to close the command prompt.
NOTE: By default, policies that are applied to either users or computers at the domain level will apply to all users and all computers in the domain. By default, the application of a policy to organization units will apply to all user accounts and machine accounts that reside in that organization unit, and to any suborganizational unit that may exist. A user account must either be moved into, or be created in, that organization unit for it to apply. If you just add security groups that a user may be a member of to an organization unit, this will not apply the policy to that user.

back to the top

How to Disable the Change Password Option for One or More Specific Users

The following procedure must be performed on the user's computer.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Click Start, and then click Run.
  2. Type regedit in the Open box, and then click OK.
  3. Locate the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

  4. Click the System subkey, if it exists. If the key does not exist, create it. To do this:
    1. Click the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies key.
    2. On the Edit menu, point to New, and then click Key.
    3. Name the new key System. To do this, type System, and then press ENTER.
  5. Click the System key that you created.
  6. On the Edit menu, point to New, and then click DWORD Value.
  7. Name the new value DisableChangePassword. To do this, type DisableChangePassword, and then press ENTER.
  8. Double-click the DisableChangePassword value that you created. Type 1 in the Value data box, and then click OK.
  9. Quit Registry Editor.
  10. Press CTRL+ALT+DELETE, and then verify that the Change Password option is unavailable (appears dimmed) in the Windows Security dialog box that appears.
back to the top

REFERENCES

For more information about working with Group Policy in Windows Server 2003, see Group Policy Help. To do this, click Help on the Action menu in the Group Policy Object Editor snap-in, click the Contents tab, and then click Group Policy.

back to the top
Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbMgmtServices kbenv kbhowto kbHOWTOmaster kbui KB324744 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.