Domain controller: Refuse machine account password changes

This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password change requests.

If it is enabled, this setting does not allow a domain controller to accept any changes to a computer account's password.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options

Default: 

This policy is not defined, which means that the system treats it as Disabled.

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange

Reboot required: 

No