HOW TO: Prevent Users From Changing a Password Except When Required in Windows 2000

Article translations Article translations
Article ID: 309799 - View products that this article applies to.
This article was previously published under Q309799
Expand all | Collapse all

On This Page

SUMMARY

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

This step-by-step article describes how to prevent users from changing their password except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows 2000 Security scheme. You can use a Windows 2000 Group Policy to set minimum and maximum password ages. A minimum password age prevents users from changing passwords too frequently. Frequent password changes can be used by users to circumvent a password-history setting and lead to more calls to the help desk because of forgotten passwords.

How to Configure a System Prompt Requirement to Change Passwords

Users can change their password during the time period between the minimum and maximum password ages. Your security design may require that users only change their passwords when they are prompted by the operating system at the maximum password age. You can configure Windows 2000 to allow users to change their passwords only when the operating system prompts them to do so.

You can implement this configuration for an entire domain by using a Group Policy or you can implement this configuration for one or more specific users by using the registry.

How to Configure a Site, Domain, or Organizational Unit to Require a System Prompt to Change Passwords

  1. Start the Active Directory Users and Computers snap-in by using the Microsoft Management Console (MMC). To do so, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, click Add, click Active Directory Users and Computers, click Add, click Close, and then click OK. The snap-in should now be visible in the left pane of your console.
  2. Expand the snap-in, and right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
  3. Click the Group Policy tab, click the Group Policy Object (GPO) you want to work with, and then click Edit. If there are no existing policies listed in the window, click New to create a new policy that you can choose a name for, and then click Edit.
  4. Expand the policy, and then expand the User Configuration node. Expand the Administrative Templates node, and then expand the System node.
  5. Click the Logon/Logoff node.
  6. Right-click the Disable Change Password policy, and then click Properties.
  7. On the Policy tab, click the Enabled option, and then click OK.
  8. Close the Group Policy windows, and then quit the Active Directory Users and Computers console.
  9. At a command prompt, type secedit /refreshpolicy user_policy /enforce, and then press ENTER to update the policy.
NOTE: By default, policies that are applied to either users or computers at the domain level will apply to all users and/or all computers, in the domain. By default, the application of a policy to organizational units will apply to all user accounts and/or machine accounts that reside in that organizational unit, and any sub-organizational unit that may exist. A user account must either be moved into, or be created in, that organizational unit for it to apply. Just adding security groups that a user may be a member of to an organizational unit will not apply the policy to that user.

How to Disable the Change Password Button for One or More Specific Users

The following procedure must be done on the user's computer:
  1. At a command prompt, type regedit, and then press ENTER.
  2. View the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
  3. Click the System key if it exists. If the key does not exist, click New on the Edit menu, and then click Key to create a new folder value called New Key #1. Rename the New Key #1 value to System.
  4. Click the System key. On the Edit menu, point to New, and then click DWORD Value. Rename the New Value #1 entry to DisableChangePassword, press ENTER, and then press ENTER again.
  5. Change the value from 0 to 1.
  6. Quit Registry Editor. Press CTRL+ALT+DELETE to see that the Change Password button is now unavailable.



REFERENCES

For additional information about policies, click the article numbers below to view the articles in the Microsoft Knowledge Base:
231287 Loopback Processing of Group Policy


273004 Error Message Is Displayed When Attempting to Change Password











Properties

Article ID: 309799 - Last Review: November 1, 2006 - Revision: 3.2
APPLIES TO
  • Microsoft Windows 2000 Server
Keywords: 
kbenv kbhowto kbhowtomaster kbui KB309799

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com