none
Password Reversible Encryption

    Question

  • Hi All,

    1. How the  reversible encryption Policy Works ??

    If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    2. Password Must Contain Upper and Lower case all over Domain.

    In my org they want to set Password Complexity, They must need Upper and Lower case in Password. As per default complexity 4 condition are there

    Contain characters from three of the following four categories:

      1. English uppercase characters (A through Z)
      2. English lowercase characters (a through z)
      3. Base 10 digits (0 through 9)
      4. Non-alphabetic characters (for example, !, $, #, %)

    In that case Abc123 also work and abc@123 also work. But I need every password should Contain Upper and Lower case. How to achieve this ??

    Many thanks in advance :)



    Regards, Hari Prasad.D

    Tuesday, December 30, 2014 9:54 AM

Answers

  • Hi Hari,

    >>If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    As the following article states: The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. 

    Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/034a0e33-a8ab-474e-ba6c-3371724d0be1/forum-faq-how-is-user-password-of-user-objects-stored-in-active-directory-can-i-view-it-can-i?forum=winserverDS

    1. How the  reversible encryption Policy Works ??

    It's not recommended that we enable this setting unless business requirements outweigh the need to protect password information.

    Regarding this setting, the following article can be referred to for more information.

    Store passwords using reversible encryption

    http://technet.microsoft.com/en-us/library/hh994559(v=ws.10).aspx

    >>In that case Abc123also work and abc@123also work. But I need every password should Contain Upper and Lower case. How to achieve this ??

    As far as I know, password must meet complexity requirements can't help us do this. To do this, we may refer to some third party tool.

    Best regards,

    Frank Shen


    Thursday, January 01, 2015 9:40 AM
    Moderator
  • Hi All,

    1. How the  reversible encryption Policy Works ??

    If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    2. Password Must Contain Upper and Lower case all over Domain.

    In my org they want to set Password Complexity, They must need Upper and Lower case in Password. As per default complexity 4 condition are there

    Contain characters from three of the following four categories:

      1. English uppercase characters (A through Z)
      2. English lowercase characters (a through z)
      3. Base 10 digits (0 through 9)
      4. Non-alphabetic characters (for example, !, $, #, %)

    In that case Abc123 also work and abc@123 also work. But I need every password should Contain Upper and Lower case. How to achieve this ??

    Many thanks in advance :)

    A helpful article with further links for reading on this topic is here: http://blogs.technet.com/b/askds/archive/2009/05/19/understanding-password-policies.aspx

    Note that although Group Policy is used for enabling password policy settings, the way the settings really work, is actually a feature/behaviour of Windows and Directory Services. As such, you may also find further help/experience in the winserverDS forum.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Thursday, January 01, 2015 10:14 AM
  • 1. How the reversible encryption Policy Works ??

    If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    Passwords for AD user accounts are stored in AD.
    If you enable "Store passwords using reversible encryption", the passwords are still stored in AD, but the passwords are stored in a less-secure format.

    Password History, when enabled, stores the specified number of previous passwords in AD, and during a password change operation, the proposed new-password is compared with the stored previous passwords, and the proposed new-password is refused if not compliant with password policy. (history/length/age/complexity)

    2. Password Must Contain Upper and Lower case all over Domain.

    Enforcing this specific requirement is not possible with the built-in password policy filters in Windows. As mentioned in the linked AskDS blog post, http://blogs.technet.com/b/askds/archive/2009/05/19/understanding-password-policies.aspx , "English uppercase" and "English lowercase" are two of the five categories - and when Password Complexity is enabled, *ANY* three of the five categories are acceptable - you cannot choose which of the five categories will be acceptable, using built-in password policy - as mentioned by Frank Shen, you may consider 3rd party (non-MSFT) password filters/solutions to meet your requirement. (or, revise your requirement, and use the built-in features, if that is agreeable to your organisation)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Thursday, January 01, 2015 10:28 AM

All replies

  • Hi Hari,

    >>If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    As the following article states: The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. 

    Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/034a0e33-a8ab-474e-ba6c-3371724d0be1/forum-faq-how-is-user-password-of-user-objects-stored-in-active-directory-can-i-view-it-can-i?forum=winserverDS

    1. How the  reversible encryption Policy Works ??

    It's not recommended that we enable this setting unless business requirements outweigh the need to protect password information.

    Regarding this setting, the following article can be referred to for more information.

    Store passwords using reversible encryption

    http://technet.microsoft.com/en-us/library/hh994559(v=ws.10).aspx

    >>In that case Abc123also work and abc@123also work. But I need every password should Contain Upper and Lower case. How to achieve this ??

    As far as I know, password must meet complexity requirements can't help us do this. To do this, we may refer to some third party tool.

    Best regards,

    Frank Shen


    Thursday, January 01, 2015 9:40 AM
    Moderator
  • Hi All,

    1. How the  reversible encryption Policy Works ??

    If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    2. Password Must Contain Upper and Lower case all over Domain.

    In my org they want to set Password Complexity, They must need Upper and Lower case in Password. As per default complexity 4 condition are there

    Contain characters from three of the following four categories:

      1. English uppercase characters (A through Z)
      2. English lowercase characters (a through z)
      3. Base 10 digits (0 through 9)
      4. Non-alphabetic characters (for example, !, $, #, %)

    In that case Abc123 also work and abc@123 also work. But I need every password should Contain Upper and Lower case. How to achieve this ??

    Many thanks in advance :)

    A helpful article with further links for reading on this topic is here: http://blogs.technet.com/b/askds/archive/2009/05/19/understanding-password-policies.aspx

    Note that although Group Policy is used for enabling password policy settings, the way the settings really work, is actually a feature/behaviour of Windows and Directory Services. As such, you may also find further help/experience in the winserverDS forum.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Thursday, January 01, 2015 10:14 AM
  • 1. How the reversible encryption Policy Works ??

    If i enable the policy where the Password will save ?? (Location). I need my last 13 Passwords should save in a Location.

    Passwords for AD user accounts are stored in AD.
    If you enable "Store passwords using reversible encryption", the passwords are still stored in AD, but the passwords are stored in a less-secure format.

    Password History, when enabled, stores the specified number of previous passwords in AD, and during a password change operation, the proposed new-password is compared with the stored previous passwords, and the proposed new-password is refused if not compliant with password policy. (history/length/age/complexity)

    2. Password Must Contain Upper and Lower case all over Domain.

    Enforcing this specific requirement is not possible with the built-in password policy filters in Windows. As mentioned in the linked AskDS blog post, http://blogs.technet.com/b/askds/archive/2009/05/19/understanding-password-policies.aspx , "English uppercase" and "English lowercase" are two of the five categories - and when Password Complexity is enabled, *ANY* three of the five categories are acceptable - you cannot choose which of the five categories will be acceptable, using built-in password policy - as mentioned by Frank Shen, you may consider 3rd party (non-MSFT) password filters/solutions to meet your requirement. (or, revise your requirement, and use the built-in features, if that is agreeable to your organisation)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Thursday, January 01, 2015 10:28 AM