The Case of the New DC and the LM Hash

While reviewing the results of the latest windows domain password audit, I noted that there was an increase in the number of lanman hashes stored. We had two domain controllers blow up recently and they had to be rebuilt from scratch rather than restored from backup. I correctly figured that on one or both of those DCs the disable lan man setting had not been implemented correctly.
I knew that on a Windows 2000 domain controller this setting needed to be added manually. The Group Policy setting only effects XP and Windows 2003 computers. I didn’t remember what the registry setting was so I sent to http://support.microsoft.com/kb/299656,
I read

To add this key by using Registry Editor, follow these steps: 1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
4. Quit Registry Editor.
5. Restart the computer, and then change your password to make the setting active.

In my haste, I forgot about the difference between a Key and a Value. I saw that the domain controller had HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa with Nolanman hash set to dword value 1. I compared that to the other domain controllers and didn’t see why that domain controller wasn’t working.
It took a second to realize that was the Windows 2003 setting set by Group Policy. For Windows 2000, you need to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and create a key of nolmhash. That isn’t the same thing at all. A quick check verified that this setting was missing on the new DCs and existed on the old DCs. We set the registry key and scheduled a reboot.

2 Comments

  1. You could have done this in the Security section of the Default Domain Controller Policy too.
    Quicker and no chance of getting it wrong.

  2. That group policy is valid for 2003 domain controllers or XP (and later) clients. The policy creates a different key than the one Windows 2000 uses. Read the KB I linked.

Comments are closed.