Windows IT Pro Archived Blogs

(9) W2K8 R2 AD Upgrade Tips: No LM Hash policy for old clients

For those of you contemplating a W2K8 or R2 upgrade from W2K3, here’s another tidbit to check. If you add a W2K8 or R2 DC to an existing W2K3 domain, (very) old clients that can only use LAN Manager (LM) authentication instead of Kerberos will break. This is because W2K8 and W2K8 R2 have changed policy to never store the easily-hackable LM hash in the local SAM database or in AD, which the old clients require.

If you do still have old computers in the domain that require this, first you have my sympathy :). Second, you need to look at KB946405 on how to re-enable it again.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.