AD修改密码延迟的问题

本文从http://hi.baidu.com/vincekwok/blog/item/05e05e2cbde02fe78a13991b.html转载

 

现象：      用户在改掉自己AD账号的密码之后，新密码立即可用（Kerberos），但旧密码也同样可用（NTLM）。如果在环境中使用了ADAM作为proxy authentication需要注意这个问题（ADAM始终使用NTLM作为认证协议http://support.microsoft.com/kb/940448/en-us），目前桌面虚拟化（VDI）比较热，由于Vmware的View server中就是用了ADAM，所以通过View server修改密码和验证账户就存在新旧密码能同时使用的问题。新旧密码同时存在的时间为：Win03中是60分钟、Win08中则变为5分钟。 原因：      首先，用户密码发生修改以后，无论是直接在DC上操作，还是通过客户端进行。收到密码修改的DC会立即触发更新，但并不是与所有的DC，而只是域内的PDC仿真器。      然后，用户登陆时会使用新密码，如果该请求提交到的那个DC，即不是PDC仿真器也不是提交密码修改的那台DC的情况下，这台DC肯定没有得到最新的修改后的密码，所以它会发现该用户提交的密码不正确。      但此刻该DC并没有立刻拒绝用户的验证请求，而是去请示AD中的PDC仿真器。这时PDC仿真器已经收到了来自与另一DC所提交的经过修改的最新密码，PDC发现，用户此刻提交的请求，与最新的密码是一致的。于是通知之前那台DC放行。 而为什么会存在一个5分钟的时间，应该是由发起密码更改的那台DC，为旧密码开启了一个最后生存时间，而这个时间，就是5分钟整.这个5分钟就是为了防止AD同步延时问题，防止DC数量比较多时，用户登录所在的站点内还没有成功的更新到密码的修改的情况。这样，即使新密码没有生效，旧密码依然可用。 解决方法： http://support.microsoft.com/kb/906305/en-us There is the way to fix it by modifying the Windows Registry according to the kb above. But I still strongly recommend the customer to contact Microsoft Technical Support to confirm this.   站点内DC同步时间默认五分钟一次     ############################################################################### How to change the lifetime period of an old password Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows To change the lifetime period of an old password, add a DWORD entry that is named OldPasswordAllowedPeriod to the following registry subkey on a domain controller: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa To do this, follow these steps: Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa On the Edit menu, point to New, and then click DWORD Value. Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER. Right-click OldPasswordAllowedPeriod, and then click Modify. In the Value data box, type the value in minutes that you want to use, and then click OK. Note The lifetime period is set in minutes. If this registry value is not set, the default lifetime period for an old password is 60 minutes. Quit Registry Editor.