Applying Policy "Do not Store LAN Manager Hash Value on Next Password"

Question

Dear Community,

I want to apply this Policy i.e. "Do not Store LAN Manager Hash Value on Next Password" but I don't know what impact this Group Policy might have in my domain.

I have a single Domain and then I have Four Sites and each site has a Domain Controller.

I have read few Articles and what I understand so far is that this Policy prevents of saving Password Hashes on Local System(Password hashes of actuual password are saved on local computer in 14 digits)

I have below questions:

Q1. What happens If I Enable this Setting?

Q2. What will be the impact once this Policy is applied?

Q3. Will it stop Saving User's passwords in future on their Laptops/Systems?

Q4. Why should I Apply this Setting?

Q5. Why are these Password hashes saved on local computer in 14 digits?

Q6. Are these the password Hashes of password that users enters to login to their Laptops?

It's recommended to enable this setting for security purpose.
Kindly help me out as I am going through Group Policy Best Practices Activity and I found this Policy which lookes useful.

Thanks.

Answer 1

Hi there,

Windows don't store your user account password in cleartext. Instead, it generates and stores user account passwords by using two different password representations, known as hashes. Enough said about hashes applying this policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed.

I recommend enabling this setting since the LM hash is very weak by today’s standards and is very quickly cracked by password cracking tools. When you enable this setting Windows will not immediately delete the existing LM hash on each account; instead, Windows will remove the LM hash from each account the next time the account’s password is changed. To immediately get rid of LM hashes you’d need to force each user to change their password at the next login.

To answer all your answers I would suggest you have a look at this wonderful article about this policy https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password

-------------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Thankyou for sharing the Link. I still have one question though, It says that Potential Impact of applying this policy could be that "Some non-Microsoft applications might not be able to connect to the system". What does it mean by "Non-Microsoft applications" which will stop working? Which application is it reffering to?I have attached Screenshot below of this point as well.

Answer 3

Dear Commuunity,

Also tell me do I need to enable this setting on my Domain Controllers. As I have windows Server 2019 OS installed on my Domain Controller. Do i still need to enable this etting on 2019 as It is not an on old OS?