User May Have Two Different Passwords After Migration from LAN ManagerID: Q197851
|
A user may have two different passwords (a LAN Manager password and a Windows NT password) without knowing it.
The Windows NT password may be empty if the account database was migrated
from an old LAN Manager domain (for example, by using Portuas.exe). In this
case, the old LAN Manager password (encrypted with DES) is taken from the
old account database, and the new Windows NT password (encrypted using MD4)
will be empty, because there is no way to recalculate the password from the
LM database.
In Service Pack 4, security validation has changed. It is possible a user
is validated only by the Windows NT 4.0 password, which can be empty if it
has not been changed since the migration from LAN Manager.
For additional information on this security validation change, please see
the following article in the Microsoft Knowledge Base:
Q147706 How to Disable LM Authentication on Windows NT
To resolve this issue, after migration, have the user change the password in the Windows NT domain. This can be achieved by setting the appropriate flags in the Windows NT User Manager for Domains. After the password has changed, both passwords (LAN Manager and Windows NT) will be kept in sync.
Additional query words: NT4SP4 security validation
Keywords :
Version : WinNT:4.0
Platform : winnt
Issue type : kbprb Last Reviewed: February 25, 1999