windows 9x password circus

joe_letter
joe_letter used Ask the Experts™
on
I've been perplexed by what seems like it should be a simple problem. I have a winnt4.5 sbs network with a bunch of win 95/98/me systems. For maint/repair reasons we occasionally reset the network password on the server so we can login as the user.  However, when the network password is changed, the local windows password does not change.  Therefore we still can not log into the profile, and since logging into the profile itself is sometimes critical to sucessful troubleshooting of an issue, the profile password becomes a problem.   As far as I am concerned I'd like to do away with the profile password and use only the network password as with nt/2k/xp.  However, I don't think I want to do away with profiles entirely. What solutions might I try???  I find this problem a real stumper.

badidea1 : use a standard windows password    
        bad : users have to login twice

badidea2 : ask the users to change passwords
        bad: often user is not around


Any suggestions?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
98 is a pain in this situation, best solution is to upgrade machines to NT workstations or higher.

You know that if you run sysedit and select the system.ini
scroll down to the bottom and delete everthing under [Password Lists]. THis will force user to enter new password in win98, set this to the new NT username and password. Then you are back to one login.
Top Expert 2004
Commented:

Author

Commented:
novell2nt ... very interesting point.. thanks.

Stevenlewis..  I think this is close to an answer.  On some of my own research I've found that in addition to those instructions the pwl file also needs to be deleted.  

However, I guess I a looking for the lowest work required solution...not a solution I have to manually carry out on every workstation.  I've heard that a network password expiration actually pulls up the dialog box to change both the network and the windows passwords.  This might be ideal, if it a)worked/was true and b)I knew how to force expire user passwords from the sbs4.5 (winnt) server.

OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

If I understand it, you have users on 98 machines and you change their passwords in NT's User Manager for Domains.  You also have profiles so I assume that your 98 machines have joined your NT domain.

There are two passwords at play when a 98 machine joines an NT domain.  'Microsoft Networking Client' and the 'Windows Logon'  The networking client is validated by your NT Security and the Winodows Logon is validated by the local PWL file.  

Assuming that your logon screen is set to use the Networking Client, you enter the username and the password and its validated against the NT Server and you either get in or you don't.  If you do, (assuming that there is a profile on the local machine) the password is validated by the username.pwl file.  If the password doesn't match, then it will give you an error message.

However if you get the error message - it doesn't matter because there is no security behind this second password check other than it may hold passwords for mail, and things like that.

I think what I would do is to figure out a scheme to delete the local PST files when you do password changes.  You might consider a logon script and deleting the file that way.  I assume you have administrative rights so you could always connect to the C$ of the 98 machine and delete the PWL file manually.  The best solution would be to not make it a common practice to change passwords from the server.

Harry

Author

Commented:
I tried turning off password caching.... that broke outlook.  I had to rebuild outlook profiles.    I am waiting to see if I have any other broken applications...
Joe, your right, if you turn off password caching, then outlook isn't going to see the passwords in the pwl file.

If you change the password from the server, exactly what is the probem that you are having.  Is it simply that you get the second password screen??  Or, is there something more happening that I don't know about?  As I said above, any user can just 'Cancel' on the second password screen, or enter the old password and go on with life.

Harry
Try this


http://support.microsoft.com/default.aspx?scid=kb;EN-US;q230598

I have not used this, let me know if it works.
The link above did not work for me.

I guess that you could access their system.ini file and remove the lines under [Password List]
This will force them to enter a new 98 password, as long as they enter their new domain password as their new 98 password they will not be prompted for the second password and you will not have to go from machine to machine.

Author

Commented:
Turning off password caching is the best solution.

I had to do two other things to really make this all work.
.del @.pwl
.copy outlook profile to a new one (this rebuilds it)

Now I can change password at server to do maintenance and still login to the correct profile.  User's don't have to worry about two passwords and keeping them in sync.  I don't have to worry about the security problems of leaving a pwl file on each machine.

The real gotcha was outlook.  I worked for quite a while trying to undo the damage done.

Thanks everyone.

I ahve found this also but have noticed that if i remove the username.pwl file from windows and when it tries to log in the next time it asks for confirmation of the password (to write the pwl file) change both password and confirmation to be blank and it will never ask again.
hope this helps

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial