Users can change their passwords during the period between the minimum and maximum password age settings. Your security design may require that users change their passwords only when they are prompted by the operating system at the maximum password age. You can configure Windows to permit users to change their passwords only when the operating system prompts them to do so. To prevent users from changing their passwords (except when required), disable the Change Password option in the Windows Security dialog box that appears when you press CTRL+ALT+DELETE.
You can implement this configuration for a whole domain by using a Group Policy, or you can implement this configuration for one or more specific users by editing the registry.
How to Configure a Site, Domain, or Organizational Unit to Prevent Users from Changing Passwords Unless Prompted
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
- Click the Group Policy tab.
- Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
- Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
- Click Ctrl+Alt+Del Options.
- In the right pane, double-click Remove Change Password.
- Click Enabled, and then click OK.
- Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
- Click Start, and then click Run.
- Type cmd in the Open box, and then click OK.
- At the command prompt, type the following line, and then press ENTER:
gpupdate /target:user /force
- Type exit to close the command prompt.
Posted in: Server