Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Registry keys for Maximum Password Age and User Cannot Change

Posted on 2006-11-20
19
Medium Priority
?
10,431 Views
Last Modified: 2009-10-08
Trying to automate the setup of our customer machines. Need to set Maximum Password Age to '0' and User Cannot Change password. Easy to find to do manually but we prefer to script this precisely because machines still leave our workshop incorrectly configured.

Any ideas for the paths to the registry keys that need changing?
0
Comment
Question by:Fubschuk
  • 7
  • 6
  • 2
  • +1
19 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 17978432
You may look here

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978446
The values to change are

maximumpasswordage

DisablePasswordChange
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978460
Start from here sorry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Fubschuk
ID: 17978507
It's everywhere!

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

and how about
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge

?
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978535
Here, this one

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978542
if the system is in the domain, you can always select the option in ADS of "password never expire" for the user accounts which is simple and easy process. When the user needs to change the password he would always be able to change. But its not recommended. if not you can also edit the group policy by following the steps:

Goto Run>GPEDIT.MSC>windows settings>Account policy>password policy>"maximum Password Age" Make the necessary changes. which will update.

cheers
Gopal Krishna K



0
 
LVL 11

Expert Comment

by:ch2
ID: 17978551
Which is for the current machine.

DisablePasswordChange

Change to 1 (default 0)

maximumpasswordage

Change to

05 = 5 days
07 = 7days
1e = 30 days (default)
0D = 15 days
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978595
Why do you want to make the password never change status. this is not a secured and the hackers can always hack your system with this type of policy. its always better that you set the default policy and change the password for security reasons what microsoft recommends. please find the link mentioned below:

http://technet2.microsoft.com/WindowsServer/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true

Regards
Gopal Krishna K

0
 

Author Comment

by:Fubschuk
ID: 17978767
Thanks Krishna and ch2. We need to have some users set up to have fixed passwords with no expiry because our customers have learning difficulties. We do however 'lock-down' the abilities of those users to have restricted runs etc but it is IMPERATIVE that we are able to create one or two usernames that have passwords that can never change and never expire.

OK ch2, I've just run a script that changes the values in the locations you suggest. maximumpasswordage set to '0' and DisablePasswordChange set to '1'.  I can SEE that the values have changed under regedit but under control panel\administrative tools\local security policy the maximum password age shows as being set to a different value (i.e.30 - a value that I manually typed in there a few days ago).

I though I would try to be clever and used Process Monitor to spot the registry activity when I manually changed the number for password expiry age in control panel\administrative tools\local security policy and that's when I came up with the key path "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge" which did me no good at all.

I just cannot see, for example, where control panel\administrative tools\local security policy is getting its currently displayed figure of '30' from. Yes, I'm the one who typed it in there, but where in the registry is this figure stored because it isn't in any of the locations you've mentioned???
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978921
You are in adomain isn't?

I changed the policies and the changes were applied to those keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
0
 

Author Comment

by:Fubschuk
ID: 17978953
Nope. No domain. Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet. A bit of software on one machine talks to a bit of software on another machine because it's been told the IP address of the other machine. No 'server', not in the Windows sense of the word.
0
 
LVL 11

Expert Comment

by:ch2
ID: 17979113
< Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet.

You are a member of a domain not a workgroup, that is what i meant.

A Description of the Group Policy Update Utility

http://support.microsoft.com/kb/298444/

The values are taken from the keys i posted above but they are not updated for security reasons.

SECEDIT

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true


But a part of this, you should do it manually as microsoft recommends, so follow krishna advice.
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 17979341
Hi Fubschuk

Their are a couple of other ways to do it

1. Local Group Policy

Maximum Password Age
Click Start
Click Run
Type GPEDIT.MSC
Expand Computer Configuration
Expand Windows settings
Expand Security Settings
Expand Password Policy
Change Maximum password age to 0

Remove Change Password
Expand User Configuration
Expand Administrative Templates
Expand System
Expand Ctrl+Alt+Del Options
Enable Remove Change Password

Once completed, use a compression utility, I prefer 7zip, to zip the C:\Windows\System32\Group Policy folder to GPolicy.zip than using an unzip utilitiy in your scripts for 7zip you can use 7za to uncompress your GPolicy.zip on to any new machine, the policies take effect for the whole machine.

2. Using Script using NET User / Net Accounts
Change Password
net user UserName Password:P@ssw0rd /add /passwordchg:no
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_user.mspx?mfr=true

Maximum Password Age
net accounts /maxpwage:unlimited
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_accounts.mspx?mfr=true

The thing to remember is that Disable Password Change is held within the users context (HKCU) so only effects the particular user logged in, whereas Maximum Password Age is held within the machine context (HKCM) so effects all users that log in.

Hope that helps.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 17980349
A colleague tried using secedit.exe with the parameters /configure /db {win}\security\Database\secedit.sdb /cfg {app}\STN_Security_Template.inf /overwrite

The inf file is as follows:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
ClearTextPassword = 0
[Profile Description]
Description=New install security configuration
[Registry Values]

Did his approach not work because he used -1 for the MaximumPasswordAge? Is this secedit technique any better than using Net Accounts script? Is he more clever than me???
0
 
LVL 29

Accepted Solution

by:
matrixnz earned 2000 total points
ID: 18125128
Hi Lee

I believe my post provides two alterntaive solutions to Fubschuks question, both solutions work.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 18129686
Hello All,

matrixnz gave the most usefull answer. Give him loads of points please.

Best regards
Fubschuk
0
 

Author Comment

by:Fubschuk
ID: 18130987
Thanks Lee,

I'm a newbie on here although colleagues in our office have used you guys before.

Many thanks again for all your help. I'll make sure I close threads in future.

Best Regards,
Ivor Davies
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question