Prevent storage of LAN Manager password hashes

Why Consider this

One or more of your servers or client computers is currently configured to store LAN Manager (LM) password hashes. LM hashes are relatively weak and can often be cracked quickly by attackers using brute force attacks.

Watch a Customer Engineer explaining the issue

Context & Best Practices

LM hashes are used by LAN Manager (LM) authentication, an old authentication mechanism that predates NTLM authentication. By contrast, NTLM and Kerberos authentication both use Windows NT password hashes (known as NT hashes or Unicode hashes), which are considerably more secure.

Windows operating systems prior to Windows Vista, and server operating systems prior to Windows Server 2008, still compute and store both NT hashes and LM hashes. NT hashes are stored for use with NTLM and Kerberos, and LM hashes are stored for backwards compatibility with earlier client operating system versions.

You are highly unlikely to encounter any issues from disabling LM hash storage unless your environment contains Windows 95 or Windows 98 clients. If you disable LM hash storage, users will be unable to authenticate to servers from Windows 95 or Windows 98 clients unless they have the Directory Services Client installed on their computers. However, in these cases you should strongly consider moving the clients to supported operating systems.

Suggested Actions

Wherever possible, you should prevent Windows from storing LM password hashes. You can do this by editing the registry on individual computers or by using Group Policy to apply the change to multiple computers.

For guidance on both approaches, refer to the support article: How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases at

For domain controllers, configure a Group Policy to configure all of them with the same setting.

Learn More

LM hash settings can cause compatibility issues in mixed environments. For more information on these issues, review the following support articles:

  • Client computers may not work correctly when you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain (
  • Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled (

Have feedback?

If you have general feedback on the Resource Center or its content, contact your Microsoft representative. If you have any specific requests or content updates for Services Hub, contact our Support Team.