After applying Service Pack 1 for Windows Server 2003, domain users can use their old password to access the network for a nadministrator definable time period after the password has been changed.

NOTE: Kerberos authentication is unaffected by this behavior change, as is interactive logon behavior.

The default old password lifetime period is 60 minutes. To alter the lifetime period for old passwords, I have scripted OldPasswordAllowedPeriod.bat.

The syntax for using OldPasswordAllowedPeriod.bat is:

OldPasswordAllowedPeriod Minutes

Where Minutes is the number of minutes for the lifetime period for old passwords.

NOTE: This script can be run on a Windows Server 2003, or on a Windows XP domain member with the Windows Server 2003 adminpak.msi installed.

OldPasswordAllowedPeriod.bat contains:

@echo off                              if \{%1\}==\{\} @echo OldPasswordAllowedPeriod Minutes&goto :EOF                              if %1 NEQ +%1 @echo OldPasswordAllowedPeriod Minutes - %1 is not numeric&goto :EOF                              setlocal                              set key=HKLM\SYSTEM\CurrentControlSet\Control\Lsa                              set /a minutes=%1                              for /f "Tokens=1" %%c in ('DSQUERY SERVER -O RDN') do (                               @echo REG ADD \\%%c\HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V OldPasswordAllowedPeriod /T REG_DWORD /F /D %minutes%                               REG ADD \\%%c\HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V OldPasswordAllowedPeriod /T REG_DWORD /F /D %minutes%                               @echo.                              )                              endlocal