Custom Group Policy - NoLMHash -

[Guest]

Hi,

I'am creating a custom ADM file so that the LMHash is not stored in Active
Directory anymore (see KB299656 Method 2). The problem I get is that when I
apply the GPO the NoLMHash key is created with inside a DWORD value (which I
don't want). I'am only interested in the key.
Can anyone help me out on this?

Thanks.

Sander.

 

[Mark Heitbrink [MVP]]

Hi,

I'am creating a custom ADM file so that the LMHash is not stored in Active
Directory anymore (see KB299656 Method 2). The problem I get is that when I
apply the GPO the NoLMHash key is created with inside a DWORD value (which I
don't want). I'am only interested in the key.

It´s a little bit tricky to apply just a key, without any valuename.
But you can do a workaround. ADM templates are not able to delete a
created key, they only can delete valuenames.

So, just create a template that deletes a fake value inside the key
at activated state. The key will resist, the value will be deleted.

---- lmhash.adm ----
class machine

category "network security"
policy "Prevent storing a LAN manager hash of your password"
keyname "SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash"
valuename "fake" VALUEON DELETE
end policy
end category
---- lmhash.adm ----

Mark

 

[NickvW]

Hi,




It´s a little bit tricky to apply just a key, without any valuename.
But you can do a workaround. ADM templates are not able to delete a
created key, they only can delete valuenames.

So, just create a template that deletes a fake value inside the key
at activated state. The key will resist, the value will be deleted.

---- lmhash.adm ----
class machine

category "network security"
policy "Prevent storing a LAN manager hash of your password"
keyname "SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash"
valuename "fake" VALUEON DELETE
end policy
end category
---- lmhash.adm ----

Mark

See also...

http://support.microsoft.com/default.aspx?scid=kb;en-us;214752

Nick