LAN Manager hash

  • Thread starter Thread starter Nir B
  • Start date Start date
N

Nir B

Hi All,

I want to enable ""Do not store LAN Manager hash value on next password
change"
I read that I will need to change the password on all accounts after
enabling this setting.
Is the meaning is that all my users will get notification that they need to
change their passwords? or its only recommendation?

Thanks In Advanced!

Nir B
 
Hi,

This is only recommendation. There will be no user notification after you
enable the policy.

If your password policy is set to e.g. users must change password after
every 70 days, you know that after 70 days all user's password will be
stored as NT Hash. Don't forget to change e.g. service account passwords
(for e.g. backup). These accounts are usually set to "password never
expires". Beside that, they usually have higher privileges on the network,
so it is even more important to get rid if LM hashes.

Mike
 
10X

Miha Pihler said:
Hi,

This is only recommendation. There will be no user notification after you
enable the policy.

If your password policy is set to e.g. users must change password after
every 70 days, you know that after 70 days all user's password will be
stored as NT Hash. Don't forget to change e.g. service account passwords
(for e.g. backup). These accounts are usually set to "password never
expires". Beside that, they usually have higher privileges on the network,
so it is even more important to get rid if LM hashes.

Mike
Click to expand...
 
You can consider configuring all the accounts to "require user to change
password at next login." This can even be done with a script, using
CUSRMGR.EXE [doesn't come with windows, is part of the Windows Resource Kit]
or with a free ADSI .VBS script that can be found in google, if you are
using Windows 2000 or 2003. I would avoid setting this value on service
accounts, and this value can cause problems for users that typically log in
using RAS or VPN or Internet or any other method besides the windows logon
by pressing CTRL-ALT-DELETE while physically attached to your internal
network.
 
Just to add that you may want to force sensitive accounts such as
administrators to change their passwords right away and let other users do
at their next interval. Additionally you would want to consider enabling
password complexity for the domain if you have not done such already and
disabling storage of lm hash for your non dc servers to make it harder to
crack local administrator accounts on those computers. --- Steve
 
Back
Top