Microsoft KB Archive/284939

= You cannot log on to a Windows 2000 domain controller after the password is changed by using a LAN Manager client =

Article ID: 284939

Article Last Modified on 10/26/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q284939





SYMPTOMS
You may not able to log on to a Microsoft Windows 2000 domain controller from a Windows 2000 client after the Windows 2000 domain user password is changed by using a LAN Manager (LM) client, such as the Microsoft Windows for Workgroups client, the Macintosh client, or the OS/2 client.

Note This problem does not occur after the password is changed by using a Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT or Windows 2000 client.



CAUSE
This problem occurs because LM clients use a different change password protocol than Windows 2000, Windows NT, Windows 95, and Windows 98 clients use. The password change protocol for these clients uses only the LM hash form of the password for authentication. The Windows 2000 domain controller modifies only the LM hash form of the user password in the Active Directory directory service. The Windows 2000 domain controller does not modify the Windows NT hash form of the user password. Therefore, you can log on from an LM client by using the newly changed password, but you cannot log on from a Windows NT client or from a Windows 2000 client by using the newly changed password. However, you can log on from a Windows NT client or from a Windows 2000 client by using the previous password.

If the password is changed by using a Windows NT-based computer, the Windows NT hash form of the password for the user account is set to a null value, and you can log on only by using the new password regardless of the client that you use.



Service pack information
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size    File name ---  21-Feb-2001  23:18  5.0.2195.3281     351,504  Advapi32.dll 21-Feb-2001 23:16  5.0.2195.3261     513,808  Instlsa5.dll 21-Feb-2001 23:18  5.0.2195.3238     141,072  Kdcsvc.dll 27-Jan-2001 04:46  5.0.2195.3194     207,920  Kerberos.dll 27-Jan-2001 03:51  5.0.2195.3194      69,456  Ksecdd.sys 16-Feb-2001 02:17  5.0.2195.3261     495,888  Lsasrv.dll 16-Feb-2001 02:17  5.0.2195.3261      33,552  Lsass.exe 21-Feb-2001 23:18  5.0.2195.3277     908,048  Ntdsa.dll 21-Feb-2001 23:15  5.0.2195.3283     381,712  Samsrv.dll 16-Feb-2001 02:17  5.0.2195.3261     495,888  Lsasrv.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Windows 2000 Service Pack 3.

Keywords: kbhotfixserver kbqfe kbbug kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB284939

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.