Windows Tip Sheet

A Window of Opportunity

Configure the time for new password changes to take effect in SP1.

• By Don Jones
• 11/02/2005

Now, here’s something scary: A Win98 user (I know, they really need to upgrade) changes his/her password in the domain. The domain is, by the way, run purely on Win2003 DCs that have recently been upgraded to Service Pack 1. But that’s not the scary part. The scary part is that the user logs off for lunch, and then comes back after lunch. Forgetting that he’d changed his password, he logs on with his old password … and it works. Immediately, he logs off and tries the new password and it works, too.

What? Well, it turns out that SP1 throws a couple of interesting loops into the NTLM authentication layer, allowing old passwords to remain active for a period of time. By default, that period is only an hour, but you can change it. Look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for a value named OldPasswordAllowedPeriod (you’d do this on the DCs, and you’ll need to do all of them). The value is a DWORD value and represents the number of minutes to allow.

So, what gives? Well, the idea is that a password change from an NTLM client can only be written to the PDC Emulator, and it might -- especially in a large, distributed network -- take some time for that change to be replicated to other DCs, including those that might actually handle authentications. Imagine this Win98 user at a remote office, contacting the PDC Emulator over the WAN to change the password, and then authenticating to the same old DC at the remote office -- which doesn’t have the new password, yet. So this feature gives the domain an hour to get the new password replication, leaving the old password intact in the meantime. This has no effect on Kerberos clients, because they know to write their password change to (usually) the DC that authenticated them in the first place.

More Resources:

Read Microsoft KB article 906305 for more on the subject.