I have a domain controller and a workstation that is member of this domain.
The domain (2003 SP2) has LMCompatibilityLevel set to 4
The workstation (XP SP3) has LMCompatibilityLevel set to 3 and NoLMHash set to 1.
I logged on the workstation as a user with domain admins rights, then used a tool called mscvtl.exe to list the credentials and got the following:
Using fgdump on the domain I got the following:
As you can see the hashes obtained from both the domain and the workstation are the same.
I know that cached credentials are different from LM and NTLM hashes, as they are hashed with the username.
So my questions based on this:
Why the cached credentials on the workstation are exactly the same as the ones on the domain (not different from it)
Why LM is being stored on the station despite the fact the NoLMhash is set to prevent LM hash from being stored?