


     用户在改掉自己AD账号的密码之后,新密码立即可用Kerberos,但旧密码也同样可用(NTLM)。如果在环境中使用了ADAM作为proxy authentication需要注意这个问题(ADAM始终使用NTLM作为认证协议,目前桌面虚拟化(VDI)比较热,由于Vmware的View server中就是用了ADAM,所以通过View server修改密码和验证账户就存在新旧密码能同时使用的问题。新旧密码同时存在的时间为:Win03中是60分钟Win08中则变为5分钟




There is the way to fix it by modifying the Windows Registry according to

the kb above. But I still strongly recommend the customer to contact

Microsoft Technical Support to confirm this.






How to change the lifetime period of an old password

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 ( ) How to back up and restore the registry in Windows

To change the lifetime period of an old password, add a DWORD entry that is named OldPasswordAllowedPeriod to the following registry subkey on a domain controller:


To do this, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER.
  5. Right-click OldPasswordAllowedPeriod, and then click Modify.
  6. In the Value data box, type the value in minutes that you want to use, and then click OK.

    Note The lifetime period is set in minutes. If this registry value is not set, the default lifetime period for an old password is 60 minutes.
  7. Quit Registry Editor.

