This tutorial discusses how to allow or prevent users from changing their password in Windows 10 and Windows 11, providing step-by-step instructions for restricting password change permissions for local users. Included are explanations for using the Local Users and Groups tool and PowerShell/Command Prompt for managing password settings, allowing you to configure whether or not users can change their own passwords.
Managing user account passwords is a common administrative task for Windows 10 and Windows 11 devices. Preventing specific users from changing passwords is often necessary for users who have poor password habits or do not remember passwords, enabling administrators to manually manage users’ passwords themselves for greater oversight.
Prerequisites for managing password permissions and settings
You will need to be logged in as a user with administrative privileges to manage Windows system settings. You should also take a full backup of your important files and system before making any major configuration changes to your device.
Step-by-step instructions: Allow or prevent users from changing their password in Windows 10 and Windows 11
There are several methods that can be used to manage user password permissions on Windows 10 and Windows 11 devices. Note, however, that all the methods below are for local Windows user accounts. If you are an administrator for a Windows Domain, you will need to use Azure AD or Active Directory to manage your users.
Note also that, as an administrator, it is not possible to restrict your own user account from changing your password. An error will occur if you attempt this to prevent you from creating a situation where you cannot log in with an administrator account.
Restricting or allowing password changes using the Local Users and Groups MMC (GUI)
In Windows 10 and Windows 11, the Local Users and Groups snap-in provides a graphical interface for managing users. This tool is only available in Pro, Enterprise, and Education editions of the Windows operating system — users of Home versions will need to use the command line method.
To prevent or allow users to change their own passwords using Local Users and Groups, follow these steps:
- Right-click on the Start button and click Run
- Enter lusrmgr.msc into the Run dialog and press OK
- Click Users in the left-panel navigation tree
- Right-click the user you wish to restrict or enable password changes for and select Properties
- Check the User cannot change password checkbox to prevent the user from changing their own password
- Uncheck the User cannot change password checkbox to do the opposite and allow them to change their own password
- Click OK to dismiss the user Properties window and confirm the change
Preventing or enabling user password changes using the Command Prompt
You can alternatively use the command prompt to allow or deny users to manage their own passwords in Windows 10 and Windows 11 by following these steps:
- Open an elevated PowerShell or Command Prompt window
- Run the command net user USERNAME /passwordchg:no to prevent the user with the user USERNAME from updating their own password
- Run the command net user USERNAME /passwordchg:yes to allow the user with the user USERNAME to update their own password
These commands use the Windows net user command to update the local user’s password settings. Note you will need to change USERNAME to the username of the user whose password change settings you wish to update.
Confirming whether a user is restricted from changing their own password
The net user command can also be used to confirm whether a user has permission to change their own password by running net user USERNAME (again replacing USERNAME with the specified user account).
In the information displayed by this command, you can confirm the current user’s ability to change their password by looking for the User may change password entry.
Use cases for restricting user password changes
Restricting users from changing their passwords is often done on shared machines to prevent one user from changing the password to something the others don’t know (either intentionally or unintentionally).
Preventing password changes is also useful for accounts used by children, and in environments where users are irresponsible with their password practices. In the latter case, some administrators prefer to create secure passwords themselves and supply them to their users, or manually vet passwords to check if they are appropriate before updating them.
In some cases, it is necessary instead to force users to regularly change their passwords for compliance reasons. In cases where users fail to do so (and when attempts to force users to change their password on next login fail), it may be necessary to take control of their password management to ensure that all accounts on the network are secure.
Managing user password permissions for multiple Windows 10 and Windows 11 PCs
Managing the security of multiple Windows 10 and Windows 11 devices quickly becomes cumbersome as the number of PCs you need to configure, monitor, and keep up-to-date increases.
Centralizing and automating common administrative tasks such as managing user password permissions to allow or prevent users from changing their passwords can be done using mobile device management (MDM) tools. NinjaOne provides a feature-rich MDM solution that covers all of your business devices, as well as employees’ own devices that are used for remote work.
In addition to enforcing security policies, NinjaOne lets you automate other common administrative tasks and enforce security policies across Windows 10, Windows 11, Apple, Android, and Linux devices for full coverage of your IT infrastructure.
