Description
This article describes that after changing the Windows AD server, the user can still use the old password to launch secret and password change operations for a period of time.
Scope
Microsoft Windows Server 2003 and later.
Solution
According to Microsoft, 'Beginning with Microsoft Windows Server 2003 Service Pack 1 (SP1), there is a change to NTLM network authentication behavior. Domain users can use their old password to access the network for one hour after the password is changed'.
Reference:
New setting modifies NTLM network authentication behavior
To disable the setting on your server:
1) Start registry editor 'regedit.msc'.
2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.
3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.
4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.
5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.
6) Enter a value for the Value data box. This value is a life time for the old password in minutes.
For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.
Rebooting the server is not needed.
