User May Have Two Different Passwords After Migration from LAN Manager

• Microsoft Windows NT Server version 4.0

SYMPTOMS

A user may have two different passwords (a LAN Manager password and a Windows NT password) without knowing it.

MORE INFORMATION

The Windows NT password may be empty if the account database was migrated from an old LAN Manager domain (for example, by using Portuas.exe). In this case, the old LAN Manager password (encrypted with DES) is taken from the old account database, and the new Windows NT password (encrypted using MD4) will be empty, because there is no way to recalculate the password from the LM database.

In Service Pack 4, security validation has changed. It is possible a user is validated only by the Windows NT 4.0 password, which can be empty if it has not been changed since the migration from LAN Manager.

For additional information on this security validation change, please see the following article in the Microsoft Knowledge Base:

Q147706 How to Disable LM Authentication on Windows NT

RESOLUTION

To resolve this issue, after migration, have the user change the password in the Windows NT domain. This can be achieved by setting the appropriate flags in the Windows NT User Manager for Domains. After the password has changed, both passwords (LAN Manager and Windows NT) will be kept in sync.

Additional query words: NT4SP4 security validation

Keywords :
Version : WinNT:4.0
Platform : winnt
Issue type : kbprb