Solved

Store password using reversible encryption for all users in the domain enabled

Posted on 2007-03-29
1
1,318 Views
Last Modified: 2012-06-27
It has recently been discovered that the Password Policy option "Store password using reversible encryption for all users in the domain" is currently enabled.

We have confirmed that there are no systems within our infrastructure that require this feature.  Knowing this, we would like to harden the password policy and disable this feature.  

Question:  If we go ahead and disable it, will users be affected in any way, e.g., users required to change password, etc.

Thanks for any help!
0
Comment
Question by:bsohn417
1 Comment
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18819560
Your users will not be immediately prompted to change their passwords unless you manually that option. However, the reversible-encryption version of their password will remain stored in AD until the next time they change.

So in reality you should plan to force a password change in order for this step to do any good, since merely disabling that checkbox will only prevent passwords from being stored this way for any new accounts that are created; any existing passwords will remain stored in AD using reversible encryption until the next time the password is changed.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question