none
Clear password history

    Question

  • I have found myself in a situation that requires me to clear the password history for all the users in my directory. My first thought was to review the available attributes to see if I could find where password history is being stored. What I discovered was there are two attributes ntpwdhistory and lmpwdhistory, and that those attributes appears to be locked by SAM. Is there a way I can clear the password history for all my users?

    - Isaiah
    Friday, March 05, 2010 9:58 PM

Answers

  • Hello,

    as far as i know there is no way to clear the password history.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Bruce-Liu Friday, March 12, 2010 9:15 AM
    Sunday, March 07, 2010 9:29 PM

All replies

  • When you say clear password history I assume you mean the "remembered" password that the domain keeps so a user cannot reuse that password until it has been reset a number of time? 

    Couple things come to mind.  Change the Password policy to remembered password to 0 and then see if the user can reset their password to the same/current password they have.

    Another options, would require some scripting, would be to create a script to change the password for each users N times (N = number of remembered passwords per the policy) the passwords you would set would be random generated passwords so the N passwords remembered would be random and the users could then reset to anything they wanted, even the one they had just previously used.  This would require some coordination as the script would reset all passwords and you would need to know the last password set on the account to allow the user to then reset to a personal password.
    Friday, March 05, 2010 10:57 PM
  • You are right in thinking that I am talking about the passwords the domain remembers so the user can remember the N passwords. Unfortunately changing the passwords is not an option because of the nature of my environment. The objective here is that we have to directory services, eDirectory and AD, and we are working on getting the password history synced between the systems. The best solution that we have been able to come up with this far is to delete the history in both. However, I cannot figure out how to clear ntPwdHistory. 

    Any ideas? 
    Friday, March 05, 2010 11:04 PM
  • From my research you cannot delete the password history in Active Directory.  Have you tried, best in a lab, to change the Password policy to remember 0 passwords then have a user reset password and then up the remembered password to see if the data is kept or purged when you change the policy?
    Friday, March 05, 2010 11:11 PM
  • Hello,

    as far as i know there is no way to clear the password history.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Bruce-Liu Friday, March 12, 2010 9:15 AM
    Sunday, March 07, 2010 9:29 PM
  • hi,

    I am looking for a way to implement it in the forest for all users? Please let me know...

     

    Tuesday, September 27, 2011 4:31 PM
  • Check out this tool. I haven't tried it, but screenshots look promising:

    http://www.passcape.com/remove_active_directory_password_history

    Thursday, February 07, 2013 3:59 PM