Domain Controller: Must be configured to allow reset of machine account passwords


Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.


To fix this configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled".

SITG: Server 2019:
Server 2012R2:
Server 2016: