LmCompitabilityLevel is not working

B

ba7eth

I have set both Windows 2003 domain controller and Windows XP SP3 workstation
to LmCompitabilityLevel 5 (NTLMv2 response only/refuse LM and NTLM)

I also set NoLMhash on both machines (DC, and workstation), then I rebooted
both.

I also changed the password for the administrator as well as other users to
make sure that no LM hash is being stored/used.

The problem is using a sniffer I can see that LM hash is being sent. Can
anyone please help figure out why this is the case?

Thanks,
 
J

John John - MVP

ba7eth said:
I have set both Windows 2003 domain controller and Windows XP SP3 workstation
to LmCompitabilityLevel 5 (NTLMv2 response only/refuse LM and NTLM)

I also set NoLMhash on both machines (DC, and workstation), then I rebooted
both.

I also changed the password for the administrator as well as other users to
make sure that no LM hash is being stored/used.

The problem is using a sniffer I can see that LM hash is being sent. Can
anyone please help figure out why this is the case?
Click to expand...

I think that the LM hash is still being stored, although I'm not sure
why it would still be sent. Take a look at the following GPO:

Network security: Do not store LAN Manager hash value on next password
change

and

Network security: LAN Manager authentication level

John
 
B

ba7eth

Thank you John for responding back. As I mentioned in my post the
LMCompitabilityLevel is set to 5 which is
"Send NTLMv2 response only\refuse LM & NTLM"

Which makes the value of the "Network security: LAN Manager authentication
level" to be set to 5 which is supposed to be the most secure made of all
applicable levels.

Why I still see LM with the above settings as well as NoLMHash? is puzzling
me.
 
B

ba7eth

Thank you John for your reply.

As I mentioned earlier I have the "LMCompitabilityLevel" set to level 5, so
the "Network security: LAN Manager authentication level is set to level 5
which is"Send NTLMv2 response only\refuse LM & NTLM"

What puzzles me is that in addition to the above settings applied NoLMHash
is also set and yet I can see that LM hash is stored?
 
J

John John - MVP

ba7eth said:
Thank you John for responding back. As I mentioned in my post the
LMCompitabilityLevel is set to 5 which is
"Send NTLMv2 response only\refuse LM & NTLM"

Which makes the value of the "Network security: LAN Manager authentication
level" to be set to 5 which is supposed to be the most secure made of all
applicable levels.

Why I still see LM with the above settings as well as NoLMHash? is puzzling
me.
Click to expand...

The NoLMHash is set to 1?

Maybe you should ask the folks in the Server group.

John
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

No LM Hash - no really 39
NT/LM and Unix Crypt Hash Creation in C# 1
Disabling LM Hash creation 6
RIS 2003 won't work with NTLMv2!! 15
Interesting Password Behaviour 4
Unable to map network drive 8
NTLMv2 1
NAS not working 2

Top