Re: Win2k Security Template: RequireLogonToChangePassword

From: Windex King (
Date: 07/31/01

Message-ID: <>
Date: Mon, 30 Jul 2001 23:26:20 -0400
From: Windex King <>
To: Information Security <>
Subject: Re: Win2k Security Template:  RequireLogonToChangePassword

Information Security wrote:
> In the [System Access] section of .inf files for the Windows 2000 security
> configuration templates, there's always an entry for
> "RequireLogonToChangePassword=0|1". NSA guidelines set it to 1, some other
> templates set it to 0, but it never seems to appear in the Security
> Configuration Templates snap-in. I've searched all over & the
> rest of the web, but can't find any definitions for this setting.

Well, I can find that check in NT 4.0 but also have not been able
to find it in W2K. In NT 4.0 it is at the bottom of the Account Policy
window (User Manager / Policies / Account).

If you click on help there and choose "Users Must Log On In Order To Change
Password" you will see the following:

"If selected, requires users to log on before changing their passwords. If
a user's password expires, the user will not be able to change the expired
password, and an administrator must change the password for the user.

If cleared, allows users to change their expired passwords without notifying
an administrator."

In NT 4, I see it as the password expiration equivalent to the lockout
account forever setting of the account lockout parameters. I would assume
that the check does the same thing on W2K. However, we all know what happens
when we ass-u-me.