New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager
The information in this article applies to:
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP2
This article was previously published under Q299656
: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY Some Internet Newsletters describe a registry key named
NoLmHash in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to prevent the storage on Lan Manager hashes in Active Directory
and local computer SAM databases. These hashes are easier to attack when an
intruder tries to find out about the password of an account.
feature controlled by this key was not thoroughly tested until Service Pack 2.
: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own
The registry key and its functionality were added
shortly before the release of Windows 2000 and were not tested. Therefore, this
value was not documented and should be considered unsafe to use in production
environments before Windows 2000 Service Pack 2.
To add this key:
- Start Registry Editor (Regedt32.exe).
- Locate this key in the registry:
- On the Edit menu, click Add
Key, type NoLMHash, and then click
- Quit Registry Editor.
- Restart the computer to make the setting active.
This registry key is required on all domain
When this registry key is set, the LM hash for a user
account is not removed until the next time the user changes his password. In
addition to setting this key you must also make sure that all users have
changed their passwords.
The successor version of Windows 2000
implements the setting to remove LAN Manager as a group policy.
|Keywords:||kbenv kbinfo kbnetwork KB299656|