Re: No LM Hash - no really

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/22/04 

Date: Sun, 22 Aug 2004 16:39:08 GMT

According to the KB article you do not use " NoLMHash = 1 DWORD " for Windows 2000.
Try using the exact instructions below to see if it helps. I have used it before as
described and it works on my W2K domain controller.--- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&
Windows 2000 SP2 and Later
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that
may require you to reinstall your operating system. Microsoft cannot guarantee that
you can solve problems that result from using Registry Editor incorrectly. Use
Registry Editor at your own risk.

Important The NoLMHash registry key and its functionality were not tested or
documented and should be considered unsafe to use in production environments before
Windows 2000 SP2.

To add this key by using Registry Editor, follow these steps:
  1.. Start Registry Editor (Regedt32.exe).
  2.. Locate and then click the following key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3.. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
  4.. Quit Registry Editor.
  5.. Restart the computer, and then change your password to make the setting active.
"Ian Boyd" <admin@SWIFTPA.NET> wrote in message
news:%23gQTDq%23hEHA.3348@TK2MSFTNGP12.phx.gbl...
> How do you REALLY disable the generation of Lan Manager password hashes.
>
> i have set the group policy on the domain controller (Windows 2000), and
> added to the domain controller's registry the NoLMHash = 1 DWORD.
>
> Then i go to a workstation and reset the password of my domain account.
>
> i can then go back to the domain controller, dump the AD password hashes. i
> then crack it and confirm that the LM Hash exists, and contains my new
> password.
>
>
> So how does one REALLY disable LM Hashes in an Active Directory environment?
>
>