Announcement

Collapse
No announcement yet.

Removing LM hashes from Windows 2003 Active Directory?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing LM hashes from Windows 2003 Active Directory?

    I have a Windows 2003 Active Directory domain and want a way of deleting all existing LM hashes from the AD database.

    I know there is a gpo settings to stop Active Directory from creating LM hashes, but this doesn't deal with the ones that already exist.

    Does anyone know if/how to remove all currently stored LM hashes from the domain?

  • #2
    Re: Removing LM hashes from Windows 2003 Active Directory?

    Force the users to change their passwords after linking the GPO with NoLMHash setting to DCs.

    The actual value of the LM hash is stored in attribute called "dBCSPwd", but it is not writable and will always show up as empty when trying to read it.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Removing LM hashes from Windows 2003 Active Directory?

      But the old lm hashes for previous pws are still there for all to see and gain insight into the user is dumped.

      Also, I've noticed user passwords do not change that much even when they are changed, and password history never catches this.

      So, back to the original question, how do I delete the LM hashes that are currently stored?

      This "dBCSPwd" attribute you speak of must have the LM hashes accessible somehow and that is the problem. If it is not writeable then would this imply that I cannot delete the LM hash of a user? It must be writeable somehow since the hash gets written there in the first place?
      Last edited by humbletech99; 5th December 2007, 14:08.

      Comment

      Working...
      X