Overview#

PwdProperties is the LDAP NAME for Part of Microsoft Active Directory Domain Policy and Fine Grained Password Policies (FGPP) as defined in MsDS-PasswordSettingsContainer

PwdProperties is a bitmask field to indicate complexity / storage restrictions.

PwdProperties attribute specifies an unsigned long numeric that, bit by bit, is home to several true/false policies, most of which can be configured under the default domain policy Group Policy Object's (GPO's) Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy folder.

For example, the DOMAIN_PASSWORD_COMPLEX setting, which can be configured through a GPO's Passwords must meet complexity requirements policy, occupies pwdProperties' first bit.

There are far more details than you want to know about in the Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server)

Property	Value
CN	Pwd-Properties
Ldap-Display-Name	pwdProperties
Size Integer	DOMAIN_PASSWORD_COMPLEX 1 DOMAIN_PASSWORD_NO_ANON_CHANGE 2 DOMAIN_PASSWORD_NO_CLEAR_CHANGE 4 DOMAIN_LOCKOUT_ADMINS 8 DOMAIN_PASSWORD_STORE_CLEARTEXT 16 DOMAIN_REFUSE_PASSWORD_CHANGE 32
Update Privilege	Domain administrator
Update Frequency	When the policy for a user changes.
Attribute-Id	1.2.840.113556.1.4.93
System-Id-Guid	bf967a0b-0de6-11d0-a285-00aa003049e2
Syntax	Enumeration

Explanation of Bit Fields#

Property	Value	Description
DOMAIN_PASSWORD_COMPLEX	1	Windows Complexity
DOMAIN_PASSWORD_NO_ANON_CHANGE	2	The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.
DOMAIN_LOCKOUT_ADMINS	8	Allows the built-in administrator account to be locked out from network logons.
DOMAIN_PASSWORD_STORE_CLEARTEXT	16	Forces the client to use a protocol that does not allow the Domain Controller to get the plaintext password.
DOMAIN_REFUSE_PASSWORD_CHANGE	32	Removes the requirement that the machine account password be automatically changed every week. This value should not be used as it can weaken security.

Implementations#

• Windows Server 2000
• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008

Attribute Definition#

The PwdProperties AttributeTypes is defined as:

• OID of [1.2.840.113556.1.4.93]]
• NAME: PwdProperties
• DESC:
• EQUALITY:
• ORDERING:
• SYNTAX:
• SINGLE-VALUE
• USAGE

Some Other Related Attributes#

• Minimum password length
• Maximum password age
• Minimum password age
• Enforce password history (by number of passwords remembered)

More Information#

There might be more information for this subject on one of the following:

• 1.2.840.113556.1.4.93
• Domain Wide Account Policies
• Passwords Must Meet Complexity Requirements
• PwdProperties