000016661 - Users are able to use old and new passwords after password change

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016661
Applies ToMicrosoft Active Directory as AxM DataStore
RSA Access Manager 6.1 and 6.2
After changing a users password they are still able to use the old password for some time.
IssueUsers are able to use old and new passwords after password change
CauseThis is a feature added in Windows 2003 SP1 or later.  It allows NTLM (and LDAP) binds against the old password for a configurable period of time (default 1 hour).
ResolutionThis time is configurable with the following registry key:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
On the Edit menu, point to New, and then click DWORD Value.
Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER.
Right-click OldPasswordAllowedPeriod, and then click Modify.
In the Value data box, type the value in minutes that you want to use, and then click OK. 
NotesSee KB906305 for more information:
Legacy Article IDa62203

Attachments

    Outcomes