13.2 Users Can Login Using the Old Password

Issue: When users use the LDAP Password only chain for authentication and change their LDAP password, they are still able to log in with their old LDAP password.

Workaround: You must disable the cache logon on Domain Controllers. To disable the cache logon, you must make the following registry changes:

  1. Open the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\.

  2. Create a DWORD parameter OldPasswordAllowedPeriod and set the parameter’s value to 0.