4d599278-5660-4513-abe4-715f546475bb
Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.
To fix this configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled".
SITG: Server 2019: https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93273
Server 2012R2: https://www.stigviewer.com/stig/microsoft_windows_server_20122012_r2_domain_controller/2022-03-01/finding/V-226351
Server 2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2022-03-01/finding/V-224996