PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Domain Controller: Must be configured to allow reset of machine account passwords

4d599278-5660-4513-abe4-715f546475bb

Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ Security Options
|_"Domain controller: Refuse machine account password changes" to "Disabled".

SITG:
Server:
2022: https://stigviewer.com/stigs/microsoft_windows_server_2022/2025-01-14/finding/V-254417
2019: https://stigviewer.com/stigs/microsoft_windows_server_2019/2025-01-15/finding/V-205876



Tags

stig-medium-server server compliance-server security-server domaincontroller nist800-171-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.