JSI Tip 9765. The NTLM network authentication behavior has been modified in Windows Server 2003 SP1?

After applying Service Pack 1 for Windows Server 2003, domain users can use their old password to access the network for a nadministrator definable time period after the password has been changed.

NOTE: Kerberos authentication is unaffected by this behavior change, as is interactive logon behavior.

The default old password lifetime period is 60 minutes. To alter the lifetime period for old passwords, I have scripted OldPasswordAllowedPeriod.bat.

The syntax for using OldPasswordAllowedPeriod.bat is:

OldPasswordAllowedPeriod Minutes

Where Minutes is the number of minutes for the lifetime period for old passwords.

NOTE: This script can be run on a Windows Server 2003, or on a Windows XP domain member with the Windows Server 2003 adminpak.msi installed.

OldPasswordAllowedPeriod.bat contains:

@echo off
if \{%1\}==\{\} @echo OldPasswordAllowedPeriod Minutes&goto :EOF
if %1 NEQ +%1 @echo OldPasswordAllowedPeriod Minutes - %1 is not numeric&goto :EOF
set key=HKLM\SYSTEM\CurrentControlSet\Control\Lsa
set /a minutes=%1
for /f "Tokens=1" %%c in ('DSQUERY SERVER -O RDN') do (
 @echo REG ADD \\%%c\HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V OldPasswordAllowedPeriod /T REG_DWORD /F /D %minutes%
 REG ADD \\%%c\HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V OldPasswordAllowedPeriod /T REG_DWORD /F /D %minutes%

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.