Removing LM hashes from Windows 2003 Active Directory?

[humbletech99]

I have a Windows 2003 Active Directory domain and want a way of deleting all existing LM hashes from the AD database.

I know there is a gpo settings to stop Active Directory from creating LM hashes, but this doesn't deal with the ones that already exist.

Does anyone know if/how to remove all currently stored LM hashes from the domain?

 

[pagy]

They are only removed when users next change their passwords so I suppose you could set all accounts to force a password change on next logon, I've seen a script somewhere that will set all users passwords to expire and need to be changed but can't find it at the moment.

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[humbletech99]

setting all users accounts to expire is not the difficult bit.

The problem is that only the new passwords will have no LM hash.

The old password LM hashes are still there and since users often do not fully change their pw but instead make some variation, those old hashes can still compromise the new passwords.

Hence I want to actually delete the old LM hashes.

 

[pagy]

Have you seen this,

Removing LM stored hashes;

http://books.google.com/books?id=T7...4rg&sig=xb-9IVwP9R2laNDWH0dFKTNDetY#PPA156,M1

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[humbletech99]

yes of course I should have thought of that. Zero out history and then change and then enable history again.

Not a bad workaround, other than the fact you have to force a lot of password changes...

It's not a bad idea at all in fact. I was actually thinking of some way of finding the AD hashes and deleting those, but leaving the ntlm hashes there...

Thanks for the reference, if I can't figure out where and how to delete the actual lmhashes, I will instead do this zeroing out of history to get rid of them.