You cannot log on to a Windows 2000 domain controller after the password is changed by using a LAN Manager client (284939)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q284939

SYMPTOMS

You may not able to log on to a Microsoft Windows 2000 domain controller from a Windows 2000 client after the Windows 2000 domain user password is changed by using a LAN Manager (LM) client, such as the Microsoft Windows for Workgroups client, the Macintosh client, or the OS/2 client.

Note This problem does not occur after the password is changed by using a Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT or Windows 2000 client.

CAUSE

This problem occurs because LM clients use a different change password protocol than Windows 2000, Windows NT, Windows 95, and Windows 98 clients use. The password change protocol for these clients uses only the LM hash form of the password for authentication. The Windows 2000 domain controller modifies only the LM hash form of the user password in the Active Directory directory service. The Windows 2000 domain controller does not modify the Windows NT hash form of the user password. Therefore, you can log on from an LM client by using the newly changed password, but you cannot log on from a Windows NT client or from a Windows 2000 client by using the newly changed password. However, you can log on from a Windows NT client or from a Windows 2000 client by using the previous password.

If the password is changed by using a Windows NT-based computer, the Windows NT hash form of the password for the user account is set to a null value, and you can log on only by using the new password regardless of the client that you use.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version            Size    File name
   -----------------------------------------------------------
   21-Feb-2001  23:18  5.0.2195.3281     351,504  Advapi32.dll
   21-Feb-2001  23:16  5.0.2195.3261     513,808  Instlsa5.dll
   21-Feb-2001  23:18  5.0.2195.3238     141,072  Kdcsvc.dll
   27-Jan-2001  04:46  5.0.2195.3194     207,920  Kerberos.dll
   27-Jan-2001  03:51  5.0.2195.3194      69,456  Ksecdd.sys
   16-Feb-2001  02:17  5.0.2195.3261     495,888  Lsasrv.dll
   16-Feb-2001  02:17  5.0.2195.3261      33,552  Lsass.exe
   21-Feb-2001  23:18  5.0.2195.3277     908,048  Ntdsa.dll
   21-Feb-2001  23:15  5.0.2195.3283     381,712  Samsrv.dll
   16-Feb-2001  02:17  5.0.2195.3261     495,888  Lsasrv.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 3.
Modification Type:MinorLast Reviewed:9/23/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB284939 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.