Technical Tip: Old password can still be used on Windows AD server

Description

This article describes that after changing the Windows AD server, the user can still use the old password to launch secret and password change operations for a period of time.

Scope

Microsoft Windows Server 2003 and later.

Solution

According to Microsoft, 'Beginning with Microsoft Windows Server 2003 Service Pack 1 (SP1), there is a change to NTLM network authentication behavior. Domain users can use their old password to access the network for one hour after the password is changed'. 

Reference:

New setting modifies NTLM network authentication behavior 

To disable the setting on your server:

1) Start registry editor 'regedit.msc'.

2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.

3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.

4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.

5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.

6) Enter a value for the Value data box. This value is a life time for the old password in minutes.

For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.

Rebooting the server is not needed.