Solved

Registry keys for Maximum Password Age and User Cannot Change

Posted on 2006-11-20
19
9,639 Views
Last Modified: 2009-10-08
Trying to automate the setup of our customer machines. Need to set Maximum Password Age to '0' and User Cannot Change password. Easy to find to do manually but we prefer to script this precisely because machines still leave our workshop incorrectly configured.

Any ideas for the paths to the registry keys that need changing?
0
Comment
Question by:Fubschuk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +1
19 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 17978432
You may look here

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978446
The values to change are

maximumpasswordage

DisablePasswordChange
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978460
Start from here sorry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 

Author Comment

by:Fubschuk
ID: 17978507
It's everywhere!

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

and how about
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge

?
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978535
Here, this one

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978542
if the system is in the domain, you can always select the option in ADS of "password never expire" for the user accounts which is simple and easy process. When the user needs to change the password he would always be able to change. But its not recommended. if not you can also edit the group policy by following the steps:

Goto Run>GPEDIT.MSC>windows settings>Account policy>password policy>"maximum Password Age" Make the necessary changes. which will update.

cheers
Gopal Krishna K



0
 
LVL 11

Expert Comment

by:ch2
ID: 17978551
Which is for the current machine.

DisablePasswordChange

Change to 1 (default 0)

maximumpasswordage

Change to

05 = 5 days
07 = 7days
1e = 30 days (default)
0D = 15 days
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978595
Why do you want to make the password never change status. this is not a secured and the hackers can always hack your system with this type of policy. its always better that you set the default policy and change the password for security reasons what microsoft recommends. please find the link mentioned below:

http://technet2.microsoft.com/WindowsServer/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true

Regards
Gopal Krishna K

0
 

Author Comment

by:Fubschuk
ID: 17978767
Thanks Krishna and ch2. We need to have some users set up to have fixed passwords with no expiry because our customers have learning difficulties. We do however 'lock-down' the abilities of those users to have restricted runs etc but it is IMPERATIVE that we are able to create one or two usernames that have passwords that can never change and never expire.

OK ch2, I've just run a script that changes the values in the locations you suggest. maximumpasswordage set to '0' and DisablePasswordChange set to '1'.  I can SEE that the values have changed under regedit but under control panel\administrative tools\local security policy the maximum password age shows as being set to a different value (i.e.30 - a value that I manually typed in there a few days ago).

I though I would try to be clever and used Process Monitor to spot the registry activity when I manually changed the number for password expiry age in control panel\administrative tools\local security policy and that's when I came up with the key path "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge" which did me no good at all.

I just cannot see, for example, where control panel\administrative tools\local security policy is getting its currently displayed figure of '30' from. Yes, I'm the one who typed it in there, but where in the registry is this figure stored because it isn't in any of the locations you've mentioned???
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978921
You are in adomain isn't?

I changed the policies and the changes were applied to those keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
0
 

Author Comment

by:Fubschuk
ID: 17978953
Nope. No domain. Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet. A bit of software on one machine talks to a bit of software on another machine because it's been told the IP address of the other machine. No 'server', not in the Windows sense of the word.
0
 
LVL 11

Expert Comment

by:ch2
ID: 17979113
< Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet.

You are a member of a domain not a workgroup, that is what i meant.

A Description of the Group Policy Update Utility

http://support.microsoft.com/kb/298444/

The values are taken from the keys i posted above but they are not updated for security reasons.

SECEDIT

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true


But a part of this, you should do it manually as microsoft recommends, so follow krishna advice.
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 17979341
Hi Fubschuk

Their are a couple of other ways to do it

1. Local Group Policy

Maximum Password Age
Click Start
Click Run
Type GPEDIT.MSC
Expand Computer Configuration
Expand Windows settings
Expand Security Settings
Expand Password Policy
Change Maximum password age to 0

Remove Change Password
Expand User Configuration
Expand Administrative Templates
Expand System
Expand Ctrl+Alt+Del Options
Enable Remove Change Password

Once completed, use a compression utility, I prefer 7zip, to zip the C:\Windows\System32\Group Policy folder to GPolicy.zip than using an unzip utilitiy in your scripts for 7zip you can use 7za to uncompress your GPolicy.zip on to any new machine, the policies take effect for the whole machine.

2. Using Script using NET User / Net Accounts
Change Password
net user UserName Password:P@ssw0rd /add /passwordchg:no
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_user.mspx?mfr=true

Maximum Password Age
net accounts /maxpwage:unlimited
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_accounts.mspx?mfr=true

The thing to remember is that Disable Password Change is held within the users context (HKCU) so only effects the particular user logged in, whereas Maximum Password Age is held within the machine context (HKCM) so effects all users that log in.

Hope that helps.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 17980349
A colleague tried using secedit.exe with the parameters /configure /db {win}\security\Database\secedit.sdb /cfg {app}\STN_Security_Template.inf /overwrite

The inf file is as follows:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
ClearTextPassword = 0
[Profile Description]
Description=New install security configuration
[Registry Values]

Did his approach not work because he used -1 for the MaximumPasswordAge? Is this secedit technique any better than using Net Accounts script? Is he more clever than me???
0
 
LVL 29

Accepted Solution

by:
matrixnz earned 500 total points
ID: 18125128
Hi Lee

I believe my post provides two alterntaive solutions to Fubschuks question, both solutions work.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 18129686
Hello All,

matrixnz gave the most usefull answer. Give him loads of points please.

Best regards
Fubschuk
0
 

Author Comment

by:Fubschuk
ID: 18130987
Thanks Lee,

I'm a newbie on here although colleagues in our office have used you guys before.

Many thanks again for all your help. I'll make sure I close threads in future.

Best Regards,
Ivor Davies
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question