Return to Support home page
  All Products  |  Support  |  Search  |  Microsoft.com Guide
Microsoft.com Home Page
  Home     FAQs     Downloads     Newsgroups     Customer Service     Contact Us  
  Send Send the contents of this page to a Friend    Help View information on how to use this site effectively  
Product Support Centers
Small Business Server
Windows 2000
Windows 2000 - Developer
Other Support Options
Contact Microsoft
Phone Numbers, Support Options and Pricing, Online Help, and more.
Customer Service
For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
Newsgroups
Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Microsoft Knowledge Base Article - 299656

New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager

The information in this article applies to:
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP2
This article was previously published under Q299656
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

Some Internet Newsletters describe a registry key named NoLmHash in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to prevent the storage on Lan Manager hashes in Active Directory and local computer SAM databases. These hashes are easier to attack when an intruder tries to find out about the password of an account.

The feature controlled by this key was not thoroughly tested until Service Pack 2.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The registry key and its functionality were added shortly before the release of Windows 2000 and were not tested. Therefore, this value was not documented and should be considered unsafe to use in production environments before Windows 2000 Service Pack 2.

To add this key:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate this key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. On the Edit menu, click Add Key, type NoLMHash, and then click OK.
  4. Quit Registry Editor.
  5. Restart the computer to make the setting active.
NOTE: This registry key is required on all domain controllers.

When this registry key is set, the LM hash for a user account is not removed until the next time the user changes his password. In addition to setting this key you must also make sure that all users have changed their passwords.

The successor version of Windows 2000 implements the setting to remove LAN Manager as a group policy.
Last Reviewed:11/8/2002
Keywords:kbenv kbinfo kbnetwork KB299656

*