Old Password Still Usable After Password Changed (When using Active Directory)

Resolving The Problem

This is an Active Directory flaw, not an OpenPages Application problem: You can refer customers to MS-KB Article ID 906305 http://support.microsoft.com/kb/906305 NTLM (NT LAN Manager) is a Microsoft authentication protocol used to authenticate clients in various Microsoft network protocol implementations, including Active Directory, Exchange Server services (POP3, IMAP, SMTP), SMB, etc. Windows 2003 Server Service Pack 1 modifies the NTLM network authentication behavior in such a way that users can use their old password to access network resources for a definite amount of time after the password is changed. This is also the case for LDAP authentication into Microsoft Active Directory. The period of time for which the old password will be active is configured by editing a registry key on the domain controller; its default value is set to an hour. This "feature" only applies to network access and to domain user accounts. The domain controller will not allow interactive logon with the old password. Which means, the old password is still good for mapping a network drive using IP address (when using a machine name - NTLM is not involved as Kerberos authentication occurs), logging into any application that uses NTLM, logging into Active Directory through LDAP functions, etc. This behavior is described in article 906305 of the Microsoft Knowledge Base. It is also noted in the article that no security weakness is caused by this kind of behavior as long as only one user knows both passwords.