1

The setting "Store passwords using reversible encryption" is enabled in our domain and we need to revert this. What happens when this is changed? Will all passwords be encrypted? Or will all users be forced to change their password for it to be encrypted? If all passwords are encrypted will the unnecrypted store as referenced here be deleted?

I see questions for this here but this was a few years ago and I wanted to confirm what a 2012 R2 DC will do now.

Thanks

zsheppard
  • 39
  • 2
  • 5

1 Answers1

4

Nothing will happen immediately. Passwords that are in the reversible encryption format will stay that way. Users will still be able to log in using those passwords. No passwords will expire because you changed this setting.

The next time a password is set, either because the user changed it or an admin did, it will be stored using a one-way method.

This is still true all the way up to Server 2016.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Thanks @longneck. So all users would have to change their passwords for the reversible format to be negated? Their reversible passwords would still be stored no matter what? – zsheppard Feb 03 '18 at 00:55
  • Correct, a password will remain in its current format until the password is changed. Something like KnowBe4's Weak Password Test tool will identify passwords stored with reversible encryption. https://www.knowbe4.com/weak-password-test – longneck Feb 05 '18 at 14:24
  • Still, you may force your users to change their password in the next logon: https://technet.microsoft.com/en-us/library/dd391883(v=ws.10).aspx – curropar Feb 05 '18 at 16:01