Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Store password using reversible encryption for all users in the domain enabled

Posted on 2007-03-29
1
Medium Priority
?
1,379 Views
Last Modified: 2012-06-27
It has recently been discovered that the Password Policy option "Store password using reversible encryption for all users in the domain" is currently enabled.

We have confirmed that there are no systems within our infrastructure that require this feature.  Knowing this, we would like to harden the password policy and disable this feature.  

Question:  If we go ahead and disable it, will users be affected in any way, e.g., users required to change password, etc.

Thanks for any help!
0
Comment
Question by:bsohn417
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 18819560
Your users will not be immediately prompted to change their passwords unless you manually that option. However, the reversible-encryption version of their password will remain stored in AD until the next time they change.

So in reality you should plan to force a password change in order for this step to do any good, since merely disabling that checkbox will only prevent passwords from being stored this way for any new accounts that are created; any existing passwords will remain stored in AD using reversible encryption until the next time the password is changed.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question