Disable Change Password option to students

Posted on 2003-03-07
Medium Priority
Last Modified: 2013-12-04
We are an educational establishment with a network consisting of approx 200 machines, 50 or 60 of which are win2k. I have tried applying the registry amendments to stop kids pressing ctrl+alt+del and changing their passwords (by 'greying out' the change password option not disabling ctrl+alt+del). The problem i have found is that the reg key needs to be amended on the Local_Machine and also current_user. I need to know if there is a better way to disable the change password option in win2k than applying the regedit amendments which are troublesome to say the least. Any information would be greatly appreciated.
Question by:xmark66
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 85

Expert Comment

ID: 8090046
Ahem - what's wrong with the option "user cannot change password" in user properties?
LVL 34

Expert Comment

ID: 8093161

Registry is the better method:
LVL 34

Expert Comment

ID: 8093162

You may also use the minimum passwordage feature:

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.


Expert Comment

ID: 8094697
There are two ways to accomplish this.  First for your Win2k clients you can enable the Group Policy under the system.adm template, uder Administrative Templates - System - Logon/Logoff - Disable Change Password - set to enabled.

On the Win9x machines you will have to use extensible policies and Poledit.exe to create a policy file for these workstations.   We accomplished by grouping several templates togther to developa Main.pol file which we put on the sysvol.  As they logon any changes made to the main.pol get propogated out to the Win9x computers.

In order to use system policies you must enable user profiles. After user profiles are enabled, many user specific changes made to the workstation (i.e. print capturing, proxy server settings) will only apply to the user who made them. When connected to a network, your user profile will follow you to each workstation that has user profiles enabled. This can cause confusion and make it very difficult to make changes to a workstation once profiles are enabled.

User profiles can be disabled without disabling system policies as follows. Remove all history for all users at the workstation by deleting the C:\WINDOWS\PROFILES subdirectory on the workstation with the autoexec. With a registry edit made via policies the user information is no longer copied to the server. The workstation is then forced to build all “profile” information from the local workstation. This allows you to easily make changes that will affect all future users of that workstation without affecting any other workstations on the network. One downfall is that every time you log in you get the “You haven’t logged in to this …..Would you like to save your …..” prompt every time you login to a workstation.

Implementing policies involves making a policy file with a policy editor. The policy editor requires a template file that basically dictates what registry entries can be modified with policies


You'll need  to implememnt;




There are several deafult adm files on in the poledit directory.  I

The following operations need to be performed on a workstation for policies to be enabled and for group support.

-Control Panel | Add/Remove Programs | Windows Setup | Have Disk | …..\poledit | Group Policies
-Run Poledit, File | Open Registry | Local Computer | Network | Update | Remote Update | Manual  
(\\servername\sys\public\main.pol), (Check Display Error Message)
Add (Deltree /Y C:\WINDOWS\PROFILES) to autoexec.bat

The workstation setup can be automated with a login script or a batch file as follows.

     Map ROOT J:=\\Server\POLICY
     COPY J:AUTOEXEC.BAT + C:\AUTOEXEC.ADD C:\AUTOEXEC.BAT     (autoexec.add has Deltree command)

Bonus to block downloads in IE:
HKEY\localuser\software\microsoft\windows\currentversion\internet settings\zones\3

change the key value of key 1803 from 0 to 1   (zero to one)

Expert Comment

ID: 9070770
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Accepted Solution

MSGeek earned 400 total points
ID: 9072584
xmark66.. you never responed to my last post, did it help?  MSGeek.

CleanupPing.. if there is no response I would object to a refund and/or deletion.

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month8 days, 23 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question