question

Ahmedmotal-9430 avatar image
0 Votes"
Ahmedmotal-9430 asked FanFan-MSFT commented

why admin user has 3 password

I'm working with Windows Server 2016 data center
i have a an admin user account which manage the network by it , for security wise i changed its password then i discovered that the 2 passwords still valid then i changed password again , i found the three passwords still valid on is that normal ?

windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ahmedmotal-9430 avatar image
0 Votes"
Ahmedmotal-9430 answered

Hi,
Thank you for your response ,regarding your inquiries above i'd like to clarify some points
1- yes i can log on to DC workstation directly by the old password (this password is the first one had been created and still stuck on system and going valid parallel on same time with the new one on same user account .

2- i made some changes trying to troubleshooting , i do changed password many times different passwords .
normally system should take newest and the last one , but actually system take the last new one + the oldest one which still valid and stuck in the system
3 - i followed your instructions in the previous mail see below
To change the lifetime period of an old password, add a DWORD entry that is named OldPasswordAllowedPeriod to the following registry subkey on a domain controller:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

To do this, follow these steps:

Click Start, click Run, type regedit, and then click OK.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

On the Edit menu, point to New, and then click DWORD Value.

Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER.

Right-click OldPasswordAllowedPeriod, and then click Modify.

In the Value data box, type the value in minutes that you want to use, and then click OK.

  • situation still the same

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Welcome to ask here!
Was the server a standalone server or domain joined server?
How did you change the password?
For the following situation, it is an expected behavior:

New setting modifies NTLM network authentication behavior


· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Server is active domain controller ,passwords has been initiated remotely domain controller through pc joined domain a month ago ,by the way discovered this certain account has 3 active valid passwords

0 Votes 0 ·

Hi,
To understanding the issue more clearly, would you please tell how did you use the old password?
Can you use the old password to logon to the DCs or workstation directly?
I'm not sure what do you mean when you said "passwords has been initiated remotely domain controller through pc joined domain a month ago "
Please help clarify.

Did the replication between DCs is good?
repadmin /showrepl * /csv >c:\repl.csv (replication situation for all the DCs)
repadmin /showrepl /all >c:\repadmin.txt (Inbound and outbound replication for one single DC)
Repadmin /syncall /APeD
Any possible, it is caused by the replication latency?

Best Regards,

1 Vote 1 ·

Hi,


Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

hi,
Regarding your mail above concerning "Did the replication between DCs is good?
repadmin /showrepl * /csv >c:\repl.csv (replication situation for all the DCs)
repadmin /showrepl /all >c:\repadmin.txt (Inbound and outbound replication for one single DC)
Repadmin /syncall /APeD

please i need some clarification regarding the command line ( should i put DC machine name instead of csv ? )
also txt ?
Thankx in advance

0 Votes 0 ·
Show more comments
Ahmedmotal-9430 avatar image
0 Votes"
Ahmedmotal-9430 answered

Hi ,
concerning your above mail i will force replication between DC's

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.