Passwords may not be maintained in an environment that contains both Windows 2000-based computers and Windows Server 2003-based computers (892424)

MORE INFORMATION

On a Windows Server 2003-based domain controller, if the "Smart card is required for interactive logon" policy setting is enabled, the domain controller generates a random password for the user. However, Windows 2000 does not include the functionality to generate a random password. For example, suppose the following conditions are true:

• You maintain a user object in an environment that contains both Windows 2000-based computers and Windows Server 2003-based computers.
• In this environment, Active Directory Users and Computers is connected to a Windows 2000-based domain controller.

In this scenario, the domain controller does not generate a random password. Therefore, passwords are not maintained.

To make sure that passwords are set to random values in a mixed environment, connect to a Windows Server 2003-based domain controller. Then, make sure that the "Smart card is required for interactive logon" policy setting is enabled. To enable this policy setting, follow these steps:

1. Click Start, click Run, type gpedit.msc, and then click OK.
2. Click the appropriate policy object, expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
3. Expand Local Policies, and then click Security Options.
4. In the right pane, double-click Interactive logon: Require smart card.
5. Click Enabled, and then click OK.

For additional information about the "Interactive logon: Require smart card" security option, visit the following Microsoft Web site:For additional information about smart cards and passwords on a Windows Server 2003 domain controller, visit the following Microsoft Web site: