Merge pull request #5460 from MicrosoftDocs/master

Publish 08/02/2021, 10:30 AM

windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
 ms.technology: mde
 ---
 
@@ -31,17 +30,11 @@ This policy setting enables or disables blocking a domain controller from accept
 
 ### Possible values
 
--   Enabled
+-   **Enabled** When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
 
-    When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
+-   **Disabled** When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
 
--   Disabled
-
-    When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
-
--   Not defined
-
-    Same as Disabled.
+-   **Not defined** Same as Disabled.
 
 ### Best practices
 
@@ -51,12 +44,19 @@ This policy setting enables or disables blocking a domain controller from accept
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
 
+The policy referenced configures the following registry value:
+
+Registry Hive: HKEY_LOCAL_MACHINE
+Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
+
+Value Name: RefusePasswordChange
+
 ### Default values
 
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
 
 | Server type or GPO | Default value |
-| - | - |
+|---|---|
 | Default Domain Policy | Not defined | 
 | Default Domain Controller Policy | Not defined | 
 | Stand-Alone Server Default Settings | Not defined |