Solved

Registry keys for Maximum Password Age and User Cannot Change

Posted on 2006-11-20
19
8,665 Views
Last Modified: 2009-10-08
Trying to automate the setup of our customer machines. Need to set Maximum Password Age to '0' and User Cannot Change password. Easy to find to do manually but we prefer to script this precisely because machines still leave our workshop incorrectly configured.

Any ideas for the paths to the registry keys that need changing?
0
Comment
Question by:Fubschuk
  • 7
  • 6
  • 2
  • +1
19 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 17978432
You may look here

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978446
The values to change are

maximumpasswordage

DisablePasswordChange
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978460
Start from here sorry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
 

Author Comment

by:Fubschuk
ID: 17978507
It's everywhere!

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

and how about
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge

?
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978535
Here, this one

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978542
if the system is in the domain, you can always select the option in ADS of "password never expire" for the user accounts which is simple and easy process. When the user needs to change the password he would always be able to change. But its not recommended. if not you can also edit the group policy by following the steps:

Goto Run>GPEDIT.MSC>windows settings>Account policy>password policy>"maximum Password Age" Make the necessary changes. which will update.

cheers
Gopal Krishna K



0
 
LVL 11

Expert Comment

by:ch2
ID: 17978551
Which is for the current machine.

DisablePasswordChange

Change to 1 (default 0)

maximumpasswordage

Change to

05 = 5 days
07 = 7days
1e = 30 days (default)
0D = 15 days
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978595
Why do you want to make the password never change status. this is not a secured and the hackers can always hack your system with this type of policy. its always better that you set the default policy and change the password for security reasons what microsoft recommends. please find the link mentioned below:

http://technet2.microsoft.com/WindowsServer/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true

Regards
Gopal Krishna K

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:Fubschuk
ID: 17978767
Thanks Krishna and ch2. We need to have some users set up to have fixed passwords with no expiry because our customers have learning difficulties. We do however 'lock-down' the abilities of those users to have restricted runs etc but it is IMPERATIVE that we are able to create one or two usernames that have passwords that can never change and never expire.

OK ch2, I've just run a script that changes the values in the locations you suggest. maximumpasswordage set to '0' and DisablePasswordChange set to '1'.  I can SEE that the values have changed under regedit but under control panel\administrative tools\local security policy the maximum password age shows as being set to a different value (i.e.30 - a value that I manually typed in there a few days ago).

I though I would try to be clever and used Process Monitor to spot the registry activity when I manually changed the number for password expiry age in control panel\administrative tools\local security policy and that's when I came up with the key path "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge" which did me no good at all.

I just cannot see, for example, where control panel\administrative tools\local security policy is getting its currently displayed figure of '30' from. Yes, I'm the one who typed it in there, but where in the registry is this figure stored because it isn't in any of the locations you've mentioned???
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978921
You are in adomain isn't?

I changed the policies and the changes were applied to those keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
0
 

Author Comment

by:Fubschuk
ID: 17978953
Nope. No domain. Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet. A bit of software on one machine talks to a bit of software on another machine because it's been told the IP address of the other machine. No 'server', not in the Windows sense of the word.
0
 
LVL 11

Expert Comment

by:ch2
ID: 17979113
< Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet.

You are a member of a domain not a workgroup, that is what i meant.

A Description of the Group Policy Update Utility

http://support.microsoft.com/kb/298444/

The values are taken from the keys i posted above but they are not updated for security reasons.

SECEDIT

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true


But a part of this, you should do it manually as microsoft recommends, so follow krishna advice.
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 17979341
Hi Fubschuk

Their are a couple of other ways to do it

1. Local Group Policy

Maximum Password Age
Click Start
Click Run
Type GPEDIT.MSC
Expand Computer Configuration
Expand Windows settings
Expand Security Settings
Expand Password Policy
Change Maximum password age to 0

Remove Change Password
Expand User Configuration
Expand Administrative Templates
Expand System
Expand Ctrl+Alt+Del Options
Enable Remove Change Password

Once completed, use a compression utility, I prefer 7zip, to zip the C:\Windows\System32\Group Policy folder to GPolicy.zip than using an unzip utilitiy in your scripts for 7zip you can use 7za to uncompress your GPolicy.zip on to any new machine, the policies take effect for the whole machine.

2. Using Script using NET User / Net Accounts
Change Password
net user UserName Password:P@ssw0rd /add /passwordchg:no
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_user.mspx?mfr=true

Maximum Password Age
net accounts /maxpwage:unlimited
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_accounts.mspx?mfr=true

The thing to remember is that Disable Password Change is held within the users context (HKCU) so only effects the particular user logged in, whereas Maximum Password Age is held within the machine context (HKCM) so effects all users that log in.

Hope that helps.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 17980349
A colleague tried using secedit.exe with the parameters /configure /db {win}\security\Database\secedit.sdb /cfg {app}\STN_Security_Template.inf /overwrite

The inf file is as follows:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
ClearTextPassword = 0
[Profile Description]
Description=New install security configuration
[Registry Values]

Did his approach not work because he used -1 for the MaximumPasswordAge? Is this secedit technique any better than using Net Accounts script? Is he more clever than me???
0
 
LVL 29

Accepted Solution

by:
matrixnz earned 500 total points
ID: 18125128
Hi Lee

I believe my post provides two alterntaive solutions to Fubschuks question, both solutions work.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 18129686
Hello All,

matrixnz gave the most usefull answer. Give him loads of points please.

Best regards
Fubschuk
0
 

Author Comment

by:Fubschuk
ID: 18130987
Thanks Lee,

I'm a newbie on here although colleagues in our office have used you guys before.

Many thanks again for all your help. I'll make sure I close threads in future.

Best Regards,
Ivor Davies
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Application Not Found 3 96
Windows 7 VM unable to boot up after shutdown 12 163
different catridges 8 90
how to copy from computer to usb drive 7 109
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now