Thursday, March 19, 2009

Old password issue with AD (strange Microsoft )

Hi guys to day we faced a new issue with windows server 2003 AD , Old password will still be used for one hour after changing to new password. Reasons are given below 

Below is the snap shot of a article having info about use of old password:

To reliably support network access for NTLM network authentication in distributed environments, Windows Server 2003 SP1 modifies the NTLM network authentication behavior as follows:
After a domain user successfully changes a password by using NTLM, the old password can still be used for network access for a user-definable time period. This behavior allows accounts, such as service accounts, that are logged on to multiple computers to access the network while the password change propagates.

Reference :

The article details how to change the behavior. Its a registry change, which our servers don't have. And if they are missing the setting, then they default to 60 minutes.
Note : This behavior does not cause a security weakness. As long as only one user knows both passwords, the user is still securely authenticated by using either password.

C  u  in next post