FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
Article Id 251894


This article describes that after changing the Windows AD server, the user can still use the old password to launch secret and password change operations for a period of time.




Microsoft Windows Server 2003 and later.




According to Microsoft, 'Beginning with Microsoft Windows Server 2003 Service Pack 1 (SP1), there is a change to NTLM network authentication behavior. Domain users can use their old password to access the network for one hour after the password is changed'. 


New setting modifies NTLM network authentication behavior 


To disable the setting on your server:

1) Start registry editor 'regedit.msc'.

2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.

3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.

4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.

5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.

6) Enter a value for the Value data box. This value is a life time for the old password in minutes.

For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.

Rebooting the server is not needed.