After applying Service Pack 1 for Windows Server 2003, domain users can use their old password to access the network for a nadministrator definable time period after the password has been changed.

NOTE: Kerberos authentication is unaffected by this behavior change, as is interactive logon behavior.

The default old password lifetime period is 60 minutes. To alter the lifetime period for old passwords, I have scripted OldPasswordAllowedPeriod.bat.

The syntax for using OldPasswordAllowedPeriod.bat is:

OldPasswordAllowedPeriod Minutes

Where Minutes is the number of minutes for the lifetime period for old passwords.

NOTE: This script can be run on a Windows Server 2003, or on a Windows XP domain member with the Windows Server 2003 adminpak.msi installed.

OldPasswordAllowedPeriod.bat contains:

@echo off
if \{%1\}==\{\} @echo OldPasswordAllowedPeriod Minutes&goto :EOF
if %1 NEQ +%1 @echo OldPasswordAllowedPeriod Minutes - %1 is not numeric&goto :EOF
setlocal
set key=HKLM\SYSTEM\CurrentControlSet\Control\Lsa
set /a minutes=%1
for /f "Tokens=1" %%c in ('<a href="/article/jsifaq/jsi-tip-8241-how-can-i-return-a-list-of-domain-controllers-without-using-netdom-.aspx">DSQUERY SERVER -O RDN</a>') do (
 @echo REG ADD \\%%c\HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V OldPasswordAllowedPeriod /T REG_DWORD /F /D %minutes%
 REG ADD \\%%c\HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V OldPasswordAllowedPeriod /T REG_DWORD /F /D %minutes%
 @echo.
)
endlocal