Solved

Registry keys for Maximum Password Age and User Cannot Change

Posted on 2006-11-20
19
8,504 Views
Last Modified: 2009-10-08
Trying to automate the setup of our customer machines. Need to set Maximum Password Age to '0' and User Cannot Change password. Easy to find to do manually but we prefer to script this precisely because machines still leave our workshop incorrectly configured.

Any ideas for the paths to the registry keys that need changing?
0
Comment
Question by:Fubschuk
  • 7
  • 6
  • 2
  • +1
19 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 17978432
You may look here

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978446
The values to change are

maximumpasswordage

DisablePasswordChange
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978460
Start from here sorry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
 

Author Comment

by:Fubschuk
ID: 17978507
It's everywhere!

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

and how about
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge

?
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978535
Here, this one

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978542
if the system is in the domain, you can always select the option in ADS of "password never expire" for the user accounts which is simple and easy process. When the user needs to change the password he would always be able to change. But its not recommended. if not you can also edit the group policy by following the steps:

Goto Run>GPEDIT.MSC>windows settings>Account policy>password policy>"maximum Password Age" Make the necessary changes. which will update.

cheers
Gopal Krishna K



0
 
LVL 11

Expert Comment

by:ch2
ID: 17978551
Which is for the current machine.

DisablePasswordChange

Change to 1 (default 0)

maximumpasswordage

Change to

05 = 5 days
07 = 7days
1e = 30 days (default)
0D = 15 days
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17978595
Why do you want to make the password never change status. this is not a secured and the hackers can always hack your system with this type of policy. its always better that you set the default policy and change the password for security reasons what microsoft recommends. please find the link mentioned below:

http://technet2.microsoft.com/WindowsServer/en/library/99d59e46-7116-4559-b995-859611548d3e1033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true

Regards
Gopal Krishna K

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:Fubschuk
ID: 17978767
Thanks Krishna and ch2. We need to have some users set up to have fixed passwords with no expiry because our customers have learning difficulties. We do however 'lock-down' the abilities of those users to have restricted runs etc but it is IMPERATIVE that we are able to create one or two usernames that have passwords that can never change and never expire.

OK ch2, I've just run a script that changes the values in the locations you suggest. maximumpasswordage set to '0' and DisablePasswordChange set to '1'.  I can SEE that the values have changed under regedit but under control panel\administrative tools\local security policy the maximum password age shows as being set to a different value (i.e.30 - a value that I manually typed in there a few days ago).

I though I would try to be clever and used Process Monitor to spot the registry activity when I manually changed the number for password expiry age in control panel\administrative tools\local security policy and that's when I came up with the key path "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/MaximumPasswordAge" which did me no good at all.

I just cannot see, for example, where control panel\administrative tools\local security policy is getting its currently displayed figure of '30' from. Yes, I'm the one who typed it in there, but where in the registry is this figure stored because it isn't in any of the locations you've mentioned???
0
 
LVL 11

Expert Comment

by:ch2
ID: 17978921
You are in adomain isn't?

I changed the policies and the changes were applied to those keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
0
 

Author Comment

by:Fubschuk
ID: 17978953
Nope. No domain. Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet. A bit of software on one machine talks to a bit of software on another machine because it's been told the IP address of the other machine. No 'server', not in the Windows sense of the word.
0
 
LVL 11

Expert Comment

by:ch2
ID: 17979113
< Just PC's connected together by CAT5 cables. Just a PC on a network that talks to another PC on that network by virtue of it being on the same subnet.

You are a member of a domain not a workgroup, that is what i meant.

A Description of the Group Policy Update Utility

http://support.microsoft.com/kb/298444/

The values are taken from the keys i posted above but they are not updated for security reasons.

SECEDIT

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true


But a part of this, you should do it manually as microsoft recommends, so follow krishna advice.
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 17979341
Hi Fubschuk

Their are a couple of other ways to do it

1. Local Group Policy

Maximum Password Age
Click Start
Click Run
Type GPEDIT.MSC
Expand Computer Configuration
Expand Windows settings
Expand Security Settings
Expand Password Policy
Change Maximum password age to 0

Remove Change Password
Expand User Configuration
Expand Administrative Templates
Expand System
Expand Ctrl+Alt+Del Options
Enable Remove Change Password

Once completed, use a compression utility, I prefer 7zip, to zip the C:\Windows\System32\Group Policy folder to GPolicy.zip than using an unzip utilitiy in your scripts for 7zip you can use 7za to uncompress your GPolicy.zip on to any new machine, the policies take effect for the whole machine.

2. Using Script using NET User / Net Accounts
Change Password
net user UserName Password:P@ssw0rd /add /passwordchg:no
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_user.mspx?mfr=true

Maximum Password Age
net accounts /maxpwage:unlimited
more info here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_accounts.mspx?mfr=true

The thing to remember is that Disable Password Change is held within the users context (HKCU) so only effects the particular user logged in, whereas Maximum Password Age is held within the machine context (HKCM) so effects all users that log in.

Hope that helps.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 17980349
A colleague tried using secedit.exe with the parameters /configure /db {win}\security\Database\secedit.sdb /cfg {app}\STN_Security_Template.inf /overwrite

The inf file is as follows:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = -1
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
ClearTextPassword = 0
[Profile Description]
Description=New install security configuration
[Registry Values]

Did his approach not work because he used -1 for the MaximumPasswordAge? Is this secedit technique any better than using Net Accounts script? Is he more clever than me???
0
 
LVL 29

Accepted Solution

by:
matrixnz earned 500 total points
ID: 18125128
Hi Lee

I believe my post provides two alterntaive solutions to Fubschuks question, both solutions work.

Cheers
0
 

Author Comment

by:Fubschuk
ID: 18129686
Hello All,

matrixnz gave the most usefull answer. Give him loads of points please.

Best regards
Fubschuk
0
 

Author Comment

by:Fubschuk
ID: 18130987
Thanks Lee,

I'm a newbie on here although colleagues in our office have used you guys before.

Many thanks again for all your help. I'll make sure I close threads in future.

Best Regards,
Ivor Davies
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now