Overview#

Password Properties. Part of Microsoft Active Directory Domain Policy.

PwdProperties is a bitmask field to indicate complexity / storage restrictions.

PwdProperties attribute specifies an unsigned long numeric that, bit by bit, is home to several true/false policies, most of which can be configured under the default domain policy Group Policy object's (GPO's) Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy folder.

For example, the DOMAIN_PASSWORD_COMPLEX setting, which can be configured through a GPO's Passwords must meet complexity requirements policy, occupies pwdProperties' first bit.

There are far more details than you want to know about in the Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server)

PropertyValue
CNPwd-Properties
Ldap-Display-NamepwdProperties
Size IntegerDOMAIN_PASSWORD_COMPLEX 1
DOMAIN_PASSWORD_NO_ANON_CHANGE 2
DOMAIN_PASSWORD_NO_CLEAR_CHANGE 4
DOMAIN_LOCKOUT_ADMINS 8
DOMAIN_PASSWORD_STORE_CLEARTEXT 16
DOMAIN_REFUSE_PASSWORD_CHANGE 32
Update PrivilegeDomain administrator
Update FrequencyWhen the policy for a user changes.
Attribute-Id1.2.840.113556.1.4.93
System-Id-Guidbf967a0b-0de6-11d0-a285-00aa003049e2
SyntaxEnumeration

Explanation of Bit Fields#

PropertyValueDescription
DOMAIN_PASSWORD_COMPLEX1Windows Complexity
DOMAIN_PASSWORD_NO_ANON_CHANGE2The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.
DOMAIN_LOCKOUT_ADMINS8Allows the built-in administrator account to be locked out from network logons.
DOMAIN_PASSWORD_STORE_CLEARTEXT16Forces the client to use a protocol that does not allow the Domain Controller to get the plaintext password.
DOMAIN_REFUSE_PASSWORD_CHANGE32Removes the requirement that the machine account password be automatically changed every week.
This value should not be used as it can weaken security.

Implementations#

Attribute Definition#

The PwdProperties AttributeTypes is defined as:

Some Other Related Attributes#

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-11) was last changed on 27-Oct-2017 09:09 by jim