FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
Tianlei_Wang
Staff
Staff
Article Id 251894
Description

 

This article describes that after changing the Windows AD server, the user can still use the old password to launch secret and password change operations for a period of time.

 

Scope

 

Microsoft Windows Server 2003 and later.

 

Solution

 

According to Microsoft, 'Beginning with Microsoft Windows Server 2003 Service Pack 1 (SP1), there is a change to NTLM network authentication behavior. Domain users can use their old password to access the network for one hour after the password is changed'. 

Reference:

New setting modifies NTLM network authentication behavior 

 

To disable the setting on your server:

1) Start registry editor 'regedit.msc'.

2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.

3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.

4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.

5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.

6) Enter a value for the Value data box. This value is a life time for the old password in minutes.

For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.

Rebooting the server is not needed.