Microsoft KB Archive/892424

= Passwords may not be maintained in an environment that contains both Windows 2000-based computers and Windows Server 2003-based computers =

Article ID: 892424

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-





INTRODUCTION
This article describes the different ways that Microsoft Windows Server 2000-based domain controllers and Microsoft Windows Server 2003-based domain controllers generate passwords. Because of this difference, passwords may not be maintained in a mixed environment.



MORE INFORMATION
On a Windows Server 2003-based domain controller, if the &quot;Smart card is required for interactive logon&quot; policy setting is enabled, the domain controller generates a random password for the user. However, Windows 2000 does not include the functionality to generate a random password. For example, suppose the following conditions are true:
 * You maintain a user object in an environment that contains both Windows 2000-based computers and Windows Server 2003-based computers.
 * In this environment, Active Directory Users and Computers is connected to a Windows 2000-based domain controller.

In this scenario, the domain controller does not generate a random password. Therefore, passwords are not maintained.

To make sure that passwords are set to random values in a mixed environment, connect to a Windows Server 2003-based domain controller. Then, make sure that the &quot;Smart card is required for interactive logon&quot; policy setting is enabled. To enable this policy setting, follow these steps:
 * 1) Click Start, click Run, type gpedit.msc, and then click OK.
 * 2) Click the appropriate policy object, expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
 * 3) Expand Local Policies, and then click Security Options.
 * 4) In the right pane, double-click Interactive logon: Require smart card.
 * 5) Click Enabled, and then click OK.

For additional information about the &quot;Interactive logon: Require smart card&quot; security option, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/A2C31C94-0E6A-4EB2-A514-2366B5B607EF1033.mspx

For additional information about smart cards and passwords on a Windows Server 2003 domain controller, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/topics/networksecurity/securesmartcards/default.mspx

Additional query words: generation snap-in user account option

Keywords: kbhowto kbinfo kbsmartcard kbpasswords KB892424

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.