Windows Server 2003 Service Pack 1 modifies NTLM network authentication behavior
- After a domain user successfully changes a password by using NTLM, the old password can still be used for network access for a user-definable time period. This behavior allows accounts, such as service accounts, that are logged on to multiple computers to access the network while the password change propagates.
- The extension of the password lifetime period applies only to network access by using NTLM. Interactive logon behavior is unchanged. This behavior does not apply to accounts that are hosted on stand-alone servers or on member servers. Only domain users are affected by this behavior.
- The lifetime period of the old password can be configured by editing the registry on a domain controller. No restart is required for this registry change to take effect.
How to change the lifetime period of an old passwordImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To change the lifetime period of an old password, add a DWORD entry that is named OldPasswordAllowedPeriod to the following registry subkey on a domain controller:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- On the Edit menu, point to New, and then click DWORD Value.
- Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER.
- Right-click OldPasswordAllowedPeriod, and then click Modify.
- In the Value data box, type the value in minutes that you want to use, and then click OK.
Note The lifetime period is set in minutes. If this registry value is not set, the default lifetime period for an old password is 60 minutes.
- Quit Registry Editor.
Note This registry setting does not require a restart to take effect.
If a user's password is known to be compromised, the administrator should reset the password for that user. The administrator should ask the user to change the password at the next logon to invalidate the old password as soon as possible.
To reset a user's password, follow these steps:
- Start Active Directory Users and Computers.
- Locate the user account whose password must be reset.
- Right-click the user object, and then click Reset Password.
- Type the new password in the New password box and in the Confirm password box.
- Click to select the User must change password at next logon check box, and then click OK.
Article ID: 906305 - Last Review: 07/07/2009 21:38:52 - Revision: 3.0
- kbhowto KB906305