A. Like user accounts, machine accounts in a domain have passwords that change automatically. The domain stores the previous and current passwords so that the previous password is accessible for authentication in case someone changes the current password but the domain controller hasn’t yet fully replicated the password.

If a password changes twice, the computers that use the password might be unable to communicate. In this case, you would receive an error message (e.g., the error message Access Denied when Active Directory—AD—replication occurs). Passwords can also be out of sync during replication between domain controllers in the same domain.

You can manually change a machine account password. You must use the Microsoft Windows 2000 Resource Kit’s Netdom tool rather than the Active Directory Users and Computers snap-in. Netdom is in Win2K’s Support\Tools folder. To reset a machine account password, enter


C:\>netdom resetpwd /server:<servername> /userd:<username>\Administrator /passwordd:*

After you enter the command, you’ll see the following.


 Type the password associated with the domain user:

The machine account password for the local machine has been successfully reset.

The command completed successfully.


You need to run this Netdom command on the machine for which you want to change the password. The server must be a domain controller in the domain, and the user must have a domain account with administrative privileges over the machine account whose password you’re changing.

You need to restart the machine for the password change to take effect. Simultaneously resetting the password on the local machine and a domain controller ensures that the two computers involved in the operation are synchronized, and starts AD replication so that other domain controllers receive the change.