Windows Tip Sheet
A Window of Opportunity
Configure the time for new password changes to take effect in SP1.
Hope you all had a Happy Halloween!
Now, here’s something scary: A Win98 user (I know, they really need to
upgrade) changes his/her password in the domain. The domain is, by the way,
run purely on Win2003 DCs that have recently been upgraded to Service Pack 1.
But that’s not the scary part. The scary part is that the user logs off
for lunch, and then comes back after lunch. Forgetting that he’d changed
his password, he logs on with his old password … and it works.
Immediately, he logs off and tries the new password and it works, too.
What? Well, it turns out that SP1 throws a couple of interesting loops into
the NTLM authentication layer, allowing old passwords to remain active for a
period of time. By default, that period is only an hour, but you can change
it. Look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
for a value named OldPasswordAllowedPeriod (you’d
do this on the DCs, and you’ll need to do all of them). The value is a
DWORD value and represents the number of minutes to allow.
So, what gives? Well, the idea is that a password change from an NTLM client
can only be written to the PDC Emulator, and it might -- especially in a large,
distributed network -- take some time for that change to be replicated to other
DCs, including those that might actually handle authentications. Imagine this
Win98 user at a remote office, contacting the PDC Emulator over the WAN to change
the password, and then authenticating to the same old DC at the remote office
-- which doesn’t have the new password, yet. So this feature gives the
domain an hour to get the new password replication, leaving the old password
intact in the meantime. This has no effect on Kerberos clients, because they
know to write their password change to (usually) the DC that authenticated them
in the first place.
Read Microsoft KB article 906305
for more on the subject.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.