Overview#PwdProperties is the LDAP NAME for Part of Microsoft Active Directory Domain Policy and Fine Grained Password Policies (FGPP) as defined in MsDS-PasswordSettingsContainer
PwdProperties is a bitmask field to indicate complexity / storage restrictions.
PwdProperties attribute specifies an unsigned long numeric that, bit by bit, is home to several true/false policies, most of which can be configured under the default domain policy Group Policy Object's (GPO's) Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy folder.
For example, the DOMAIN_PASSWORD_COMPLEX setting, which can be configured through a GPO's Passwords must meet complexity requirements policy, occupies pwdProperties' first bit.
There are far more details than you want to know about in the Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server)
|Size Integer||DOMAIN_PASSWORD_COMPLEX 1|
|Update Privilege||Domain administrator|
|Update Frequency||When the policy for a user changes.|
Explanation of Bit Fields#
|DOMAIN_PASSWORD_NO_ANON_CHANGE||2||The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.|
|DOMAIN_LOCKOUT_ADMINS||8||Allows the built-in administrator account to be locked out from network logons.|
|DOMAIN_PASSWORD_STORE_CLEARTEXT||16||Forces the client to use a protocol that does not allow the Domain Controller to get the plaintext password.|
|DOMAIN_REFUSE_PASSWORD_CHANGE||32||Removes the requirement that the machine account password be automatically changed every week.|
This value should not be used as it can weaken security.
Attribute Definition#The PwdProperties AttributeTypes is defined as:
- OID of [1.2.840.1135220.127.116.11]]
- NAME: PwdProperties
Some Other Related Attributes#
- Minimum password length
- Maximum password age
- Minimum password age
- Enforce password history (by number of passwords remembered)