Removing the LAN Manager Hash using Group Policy

I'm gearing up for a security audit and one thing I'd like to try is removing the lm hash file from my machines.  It looks like a simple GP change:

http://support.microsoft.com/kb/299656

I'm just curious how exactly this should work.  From what I've read the LM hash is stored in the c:\windows\system32\config folder in a SAM file.  Once I create the new policy should that file be gone from the machine?  I need a way to confirm that its doing what I think it should be doing.
LVL 1
First LastAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dave_itCommented:
My understanding of that setting is that a workstation will not store the LAN Manager hash starting the next time a password is changed.  So it's not an immediate elimination of the LM hash, but it will eventually go away as long as users are forced to change their passwords regularly.
0
First LastAuthor Commented:
Ouch, the audit is on Wednesday of next week.  Let me dig around and see if I can find more info on that one, I'm testing now as well.  Thanks for the tip!
0
First LastAuthor Commented:
Are you sure we're talking about the same policy?  I see two similar options:

Network security:  Do not store LAN manager hash value on next password change

and

Network security:  Do not allow storage of passwords and credentials for network authentication

I'm using the second option.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

First LastAuthor Commented:
So I've been testing and my plan was to compare the size of the SAM file after making the change.  I discovered that each SAM file is exactly 256kb on every machine I've checked, even on different operating systems.  So I don't think my plan to verify its working would be valid if the file size does not change.

Any way for me to easily check this?
0
First LastAuthor Commented:
As it turns out domain accounts are not stored in the SAM file but in the registry.  The only way I could find to remove stored accounts after the GPO change is manually visiting each station
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:
Found my own solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.