Interesting Password Behaviour

G

gsimmons.uk

OK here is the situation..

The client is the MS-DOS Network Client - this is being used to begin
the process of client - re-imaging..

A single domain mixed mode 2003 forest

I have discovered that if I reset an account password on a 2000 DC I
can authenticate using the account with the DOS client, however if I
reset the same account to the same password on a 2003 DC I get access
denied on the dos client when authenticating ?

The Default Domain Controller Policy has the following settings:

Network Security: LAN Manager authentication level = Send LM & NTLM -
use NTLMv2 session security if negotiated

Network Security: Do not store LAN Manager hash value on next password
change = Enabled

I have a idea that its the second option here causing the issue = which
leads me to ask if the LAN Manager Hash option is not active on 2000
DCs ??

Cheers
 
J

Joe Richards [MVP]

Yeah you need the LANMAN hash for DOS clients. Also you need to make sure that
the protocol signing isn't enabled.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
G

GaryS

Hi Joe..

Yes I worked out that the LM hash would be needed - but based on the
Network Security: Do not store LAN Manager..... being enabled I would
have expected that Win2000 DCs also wouldnt store a hashed passsword..

Based on my testing all the Win2000 DCs are setting passwords that the
DOS client can authenticate with - which is contary to the policy
setting..

Has anyone else come across this behaviour ??
 
J

Joe Richards [MVP]

Honestly, it has been quite a while since I played with policy on a 2K domain,
it could be that there was a bug in that on 2K or it wasn't supported, I don't
recall. If I were to look at this, I would build a free 2K only domain and patch
it to the latest rev and verify

a) that the policy is there
b) whether it works or not

If it is there and it doesn't work, then I would consider bugging it with MSFT
but most likely not as 2K is now N-2 (R2 is N) and will probably be N-3 within
the next year which means the chance of a non-critical bug being corrected is
almost nil.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
G

GaryS

OK.. thanks for the input..

Sorta thinking in that direction myself.. Looks like I'll need to hunt
down a bootable network platform that uses NTLM and can allow the
movement of images araound...

cheers
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security options don't appear when editing from DC 8
LmCompitabilityLevel is not working 4
RIS 2003 won't work with NTLMv2!! 15
System Error 1326 has occurred Logon failure: unknown user name orbad password. 4
win2003 Domain and Win95 box 1
Users in Win98 workstations having account locked in Active Direct 5
Trying to understand cached credentials 2
Help to Find out Which W2K DC the XP client authenticate 2

Top