Overview#Password Properties. Part of Domain Policy. A bit field to indicate complexity / storage restrictions.
The pwdProperties attribute specifies an unsigned long numeric that, bit by bit, is home to several true/false policies, most of which can be configured under the default domain policy Group Policy object's (GPO's) Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy folder.
For example, the DOMAIN_PASSWORD_COMPLEX setting, which can be configured through a GPO's Passwords must meet complexity requirements policy, occupies pwdProperties' first bit.
There are far more details than you want to know about in the Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server)
|Size Integer||DOMAIN_PASSWORD_COMPLEX 1, DOMAIN_PASSWORD_NO_ANON_CHANGE 2, DOMAIN_PASSWORD_NO_CLEAR_CHANGE 4, DOMAIN_LOCKOUT_ADMINS 8, DOMAIN_PASSWORD_STORE_CLEARTEXT 16, DOMAIN_REFUSE_PASSWORD_CHANGE 32|
|Update Privilege||Domain administrator|
|Update Frequency||When the policy for a user changes.|
Explanation of Bit Fields#
|DOMAIN_PASSWORD_NO_ANON_CHANGE||2||The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.|
|DOMAIN_LOCKOUT_ADMINS||8||Allows the built-in administrator account to be locked out from network logons.|
|DOMAIN_PASSWORD_STORE_CLEARTEXT||16||Forces the client to use a protocol that does not allow the domain controller to get the plaintext password.|
|DOMAIN_REFUSE_PASSWORD_CHANGE||32||Removes the requirement that the machine account password be automatically changed every week.|
This value should not be used as it can weaken security.
- Windows 2000 Server
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
Attribute Definition#The PwdProperties AttributeTypes is defined as:
- OID of [1.2.840.1135184.108.40.206]]
- NAME: PwdProperties
Some Other Related Attributes#
- Minimum password length
- Maximum password age
- Minimum password age
- Enforce password history (by number of passwords remembered)