No announcement yet.

LM Hash

  • Filter
  • Time
  • Show
Clear All
new posts

  • LM Hash

    passwords being stored using LM hash is only affected by local accounts, which i think that is the case. We have a domain set up here with GPO's enabled:

    1. to not store lm has on next password change
    2. only communicate using ntlm v2 and ntlm, refuse LM (new samba 3x file server doesn't like ntlmv2 only setting)

    well thats great, but does that mean that on a computer that i have setup. After i have joined the domain and it applies the policy, I have to go and reset everyone's password so it won't store in LM Hash (i'm just talking about the local accounts, like local administrator, etc..)?

    Is there a way to make it get rid of it's hashed passwords without a password change?

    or should i have used the regedit method at the time of setup, before deploying the computer out (joining the domain, etc..) and only have to reset the local administrator password so it doesn't get stored in LM Hash?

    basically i want to know if there is a way to:
    1. stop lm hashing during the very initial phases of a computer setup
    2. get rid of the hash on existing computers without forcing users to change their passwords.

    the systems are windows xp sp2.

    Last edited by roguecoolman; 20th September 2006, 23:40.

  • #2
    Re: LM Hash

    For #1 you can just specify a password 15 characters or longer. #2 I don't know of a way it can be done.

    Network Consultant/Engineer
    Baltimore - Washington area and beyond


    • #3
      Re: LM Hash

      As i thought.


      • #4
        Re: LM Hash

        Thanks for the responses.

        I'll have to change my deployment on the xp sp2 clients.

        Do you know if by default when windows server 2003 r2 is setup and promoted to a DC, is the user accounts stored using LM Hash into active directory by default until the gpo setting to not store LM hash is set?
        Last edited by roguecoolman; 21st September 2006, 22:01.


        • #5
          Re: LM Hash

          So far,

          i'm just going to go ahead and reset the local accounts and wait till my ad user accounts change their password on the next change rotation.

          if i can diverge from the LM hash storing and onto LM communication setup.

          I have set on my DC's as a policy to the following:

          NTLMV2 and NTLM and refuse LM

          so this to me tells me that my dc's will only accept NTLMV2 and NTLM and refuse LM.

          so then on my windows xp sp2 clients, do i need to set the same setting to them?

          I'm thinking that since the dc communication to client is set only to NTLMv2 and NTLM because of dc policy thats fine as long as clients talk to DC only. But am i correct to assume that setting the policy: "NTLMV2 and NTML and refuse LM" on the clients is to secure them from talking to each other using LM?

          so right now, i've increase security only towards dc's communicating to dc's and dc's communicating to client, but client to client's maybe possibly be still communicating via LM. is my assumption on this correct?

          Last edited by roguecoolman; 27th September 2006, 20:04.