Fubschuk
asked on
Registry keys for Maximum Password Age and User Cannot Change
Trying to automate the setup of our customer machines. Need to set Maximum Password Age to '0' and User Cannot Change password. Easy to find to do manually but we prefer to script this precisely because machines still leave our workshop incorrectly configured.
Any ideas for the paths to the registry keys that need changing?
Any ideas for the paths to the registry keys that need changing?
The values to change are
maximumpasswordage
DisablePasswordChange
maximumpasswordage
DisablePasswordChange
Start from here sorry
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
ASKER
It's everywhere!
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
and how about
SOFTWARE\Microsoft\Windows
?
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
and how about
SOFTWARE\Microsoft\Windows
?
Here, this one
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
if the system is in the domain, you can always select the option in ADS of "password never expire" for the user accounts which is simple and easy process. When the user needs to change the password he would always be able to change. But its not recommended. if not you can also edit the group policy by following the steps:
Goto Run>GPEDIT.MSC>windows settings>Account policy>password policy>"maximum Password Age" Make the necessary changes. which will update.
cheers
Gopal Krishna K
Goto Run>GPEDIT.MSC>windows settings>Account policy>password policy>"maximum Password Age" Make the necessary changes. which will update.
cheers
Gopal Krishna K
Which is for the current machine.
DisablePasswordChange
Change to 1 (default 0)
maximumpasswordage
Change to
05 = 5 days
07 = 7days
1e = 30 days (default)
0D = 15 days
DisablePasswordChange
Change to 1 (default 0)
maximumpasswordage
Change to
05 = 5 days
07 = 7days
1e = 30 days (default)
0D = 15 days
Why do you want to make the password never change status. this is not a secured and the hackers can always hack your system with this type of policy. its always better that you set the default policy and change the password for security reasons what microsoft recommends. please find the link mentioned below:
http://technet2.microsoft.com/WindowsServer/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true
Regards
Gopal Krishna K
http://technet2.microsoft.com/WindowsServer/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true
Regards
Gopal Krishna K
ASKER
Thanks Krishna and ch2. We need to have some users set up to have fixed passwords with no expiry because our customers have learning difficulties. We do however 'lock-down' the abilities of those users to have restricted runs etc but it is IMPERATIVE that we are able to create one or two usernames that have passwords that can never change and never expire.
OK ch2, I've just run a script that changes the values in the locations you suggest. maximumpasswordage set to '0' and DisablePasswordChange set to '1'. I can SEE that the values have changed under regedit but under control panel\administrative tools\local security policy the maximum password age shows as being set to a different value (i.e.30 - a value that I manually typed in there a few days ago).
I though I would try to be clever and used Process Monitor to spot the registry activity when I manually changed the number for password expiry age in control panel\administrative tools\local security policy and that's when I came up with the key path "SOFTWARE\Microsoft\Window
I just cannot see, for example, where control panel\administrative tools\local security policy is getting its currently displayed figure of '30' from. Yes, I'm the one who typed it in there, but where in the registry is this figure stored because it isn't in any of the locations you've mentioned???
OK ch2, I've just run a script that changes the values in the locations you suggest. maximumpasswordage set to '0' and DisablePasswordChange set to '1'. I can SEE that the values have changed under regedit but under control panel\administrative tools\local security policy the maximum password age shows as being set to a different value (i.e.30 - a value that I manually typed in there a few days ago).
I though I would try to be clever and used Process Monitor to spot the registry activity when I manually changed the number for password expiry age in control panel\administrative tools\local security policy and that's when I came up with the key path "SOFTWARE\Microsoft\Window
I just cannot see, for example, where control panel\administrative tools\local security policy is getting its currently displayed figure of '30' from. Yes, I'm the one who typed it in there, but where in the registry is this figure stored because it isn't in any of the locations you've mentioned???
You are in adomain isn't?
I changed the policies and the changes were applied to those keys
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
I changed the policies and the changes were applied to those keys
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
ASKER
Nope. No domain. Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet. A bit of software on one machine talks to a bit of software on another machine because it's been told the IP address of the other machine. No 'server', not in the Windows sense of the word.
< Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet.
You are a member of a domain not a workgroup, that is what i meant.
A Description of the Group Policy Update Utility
http://support.microsoft.com/kb/298444/
The values are taken from the keys i posted above but they are not updated for security reasons.
SECEDIT
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
But a part of this, you should do it manually as microsoft recommends, so follow krishna advice.
You are a member of a domain not a workgroup, that is what i meant.
A Description of the Group Policy Update Utility
http://support.microsoft.com/kb/298444/
The values are taken from the keys i posted above but they are not updated for security reasons.
SECEDIT
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
But a part of this, you should do it manually as microsoft recommends, so follow krishna advice.
Hi Fubschuk
Their are a couple of other ways to do it
1. Local Group Policy
Maximum Password Age
Click Start
Click Run
Type GPEDIT.MSC
Expand Computer Configuration
Expand Windows settings
Expand Security Settings
Expand Password Policy
Change Maximum password age to 0
Remove Change Password
Expand User Configuration
Expand Administrative Templates
Expand System
Expand Ctrl+Alt+Del Options
Enable Remove Change Password
Once completed, use a compression utility, I prefer 7zip, to zip the C:\Windows\System32\Group Policy folder to GPolicy.zip than using an unzip utilitiy in your scripts for 7zip you can use 7za to uncompress your GPolicy.zip on to any new machine, the policies take effect for the whole machine.
2. Using Script using NET User / Net Accounts
Change Password
net user UserName Password:P@ssw0rd /add /passwordchg:no
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_user.mspx?mfr=true
Maximum Password Age
net accounts /maxpwage:unlimited
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_accounts.mspx?mfr=true
The thing to remember is that Disable Password Change is held within the users context (HKCU) so only effects the particular user logged in, whereas Maximum Password Age is held within the machine context (HKCM) so effects all users that log in.
Hope that helps.
Cheers
Their are a couple of other ways to do it
1. Local Group Policy
Maximum Password Age
Click Start
Click Run
Type GPEDIT.MSC
Expand Computer Configuration
Expand Windows settings
Expand Security Settings
Expand Password Policy
Change Maximum password age to 0
Remove Change Password
Expand User Configuration
Expand Administrative Templates
Expand System
Expand Ctrl+Alt+Del Options
Enable Remove Change Password
Once completed, use a compression utility, I prefer 7zip, to zip the C:\Windows\System32\Group Policy folder to GPolicy.zip than using an unzip utilitiy in your scripts for 7zip you can use 7za to uncompress your GPolicy.zip on to any new machine, the policies take effect for the whole machine.
2. Using Script using NET User / Net Accounts
Change Password
net user UserName Password:P@ssw0rd /add /passwordchg:no
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_user.mspx?mfr=true
Maximum Password Age
net accounts /maxpwage:unlimited
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_accounts.mspx?mfr=true
The thing to remember is that Disable Password Change is held within the users context (HKCU) so only effects the particular user logged in, whereas Maximum Password Age is held within the machine context (HKCM) so effects all users that log in.
Hope that helps.
Cheers
ASKER
A colleague tried using secedit.exe with the parameters /configure /db {win}\security\Database\se
The inf file is as follows:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
ClearTextPassword = 0
[Profile Description]
Description=New install security configuration
[Registry Values]
Did his approach not work because he used -1 for the MaximumPasswordAge? Is this secedit technique any better than using Net Accounts script? Is he more clever than me???
The inf file is as follows:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
ClearTextPassword = 0
[Profile Description]
Description=New install security configuration
[Registry Values]
Did his approach not work because he used -1 for the MaximumPasswordAge? Is this secedit technique any better than using Net Accounts script? Is he more clever than me???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello All,
matrixnz gave the most usefull answer. Give him loads of points please.
Best regards
Fubschuk
matrixnz gave the most usefull answer. Give him loads of points please.
Best regards
Fubschuk
ASKER
Thanks Lee,
I'm a newbie on here although colleagues in our office have used you guys before.
Many thanks again for all your help. I'll make sure I close threads in future.
Best Regards,
Ivor Davies
I'm a newbie on here although colleagues in our office have used you guys before.
Many thanks again for all your help. I'll make sure I close threads in future.
Best Regards,
Ivor Davies
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\