There is a setting in active directory password to turn on or off "reversible encryption". Currently I have this feature turned on, and I am planning to turn it off. What effect will this have on the existing accounts? Will they no longer be able to log in? Will they be forced to change their password on next login? What should I expect?
Asked
Active
Viewed 2,599 times
2 Answers
4
Nothing immediate will happen. The reversible password is stored separately from the normal password so the passwords will keep working.
I think starting with Windows 2008, if you disable this option then the domain controllers will wipe out the reversible passwords for all affected users. Prior to Windows 2008 the password would stick around until the user changes their password, at which time the reversible copy is deleted.
longneck
- 23,082
- 4
- 52
- 86
-
Just to be clear with Win2k8, if the domain controllers wipe out the reversible passwords, I'm assuming I will need to assign new passwords to everyone, since AD will no longer be able to authenticate users? – Barthalameu James Simpson Jun 24 '13 at 17:12
-
No. Re-read my second sentence. Then you enable reversible encryption you aren't changing the way the password is stored; your password is stored a second time in a separate field. So deleting the reversible password does not effect the normal password. – longneck Jun 24 '13 at 17:28
4
The passwords will continue to be stored using reversible encryption until that password is updated. All users will be able to log in.
What you should do is to change this setting and then expire everyone's passwords, so that they must change them, and thus have a non-reversible hash stored.
MDMarra
- 100,734
- 32
- 197
- 329
-
seems like a weird choice imo, I mean if the password can be reversed anyway, why doesnt it just reverse the password, store the hash and drop the reversible copy? – My1 Feb 04 '20 at 13:47