Windows Tip Sheet
A Window of Opportunity
Configure the time for new password changes to take effect in SP1.
Hope you all had a Happy Halloween!
Now, here’s something scary: A Win98 user (I know, they really need to
upgrade) changes his/her password in the domain. The domain is, by the way,
run purely on Win2003 DCs that have recently been upgraded to Service Pack 1.
But that’s not the scary part. The scary part is that the user logs off
for lunch, and then comes back after lunch. Forgetting that he’d changed
his password, he logs on with his old password … and it works.
Immediately, he logs off and tries the new password and it works, too.
What? Well, it turns out that SP1 throws a couple of interesting loops into
the NTLM authentication layer, allowing old passwords to remain active for a
period of time. By default, that period is only an hour, but you can change
it. Look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
for a value named OldPasswordAllowedPeriod (you’d
do this on the DCs, and you’ll need to do all of them). The value is a
DWORD value and represents the number of minutes to allow.
So, what gives? Well, the idea is that a password change from an NTLM client
can only be written to the PDC Emulator, and it might -- especially in a large,
distributed network -- take some time for that change to be replicated to other
DCs, including those that might actually handle authentications. Imagine this
Win98 user at a remote office, contacting the PDC Emulator over the WAN to change
the password, and then authenticating to the same old DC at the remote office
-- which doesn’t have the new password, yet. So this feature gives the
domain an hour to get the new password replication, leaving the old password
intact in the meantime. This has no effect on Kerberos clients, because they
know to write their password change to (usually) the DC that authenticated them
in the first place.
More Resources:
Read Microsoft KB article
906305
for more on the subject.
About the Author
Don Jones has more than a decade of professional experience in the IT industry. He's the author of more than 30 IT books, including Windows PowerShell: TFM; VBScript, WMI, and ADSI Unleashed; Managing Windows with VBScript and WMI; and many more. He's a top-rated and in-demand speaker at conferences such as Microsoft TechEd and TechMentor, and writes the monthly Windows PowerShell column for Microsoft TechNet Magazine. Don is a multiple-year recipient of Microsoft's Most Valuable Professional (MVP) Award with a specialization in Windows PowerShell. Don's broad IT experience includes work in the financial, telecommunications, software, manufacturing, consulting, training, and retail industries and he's one of the rare IT professionals who can not only "cross the line" between administration and software development, but also between IT workers and IT management.