<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is the [LDAP] [NAME] for Part of [Microsoft Active Directory] [Domain Policy] and [Fine Grained Password Policies] ([FGPP]) as defined in [MsDS-PasswordSettingsContainer]

[{$pagename}] is a [bitmask] field to indicate complexity / storage restrictions.

[{$pagename}] attribute specifies an unsigned long numeric that, [bit] by [bit], is home to several [true]/[false] [policies|Policy], most of which can be configured under the default domain policy [Group Policy Object]'s ([GPO]'s) Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy folder. 

For example, the DOMAIN_PASSWORD_COMPLEX setting, which can be configured through a GPO's Passwords must meet complexity requirements policy, occupies pwdProperties' first [bit].

There are far more details than you want to know about in the [Security Account Manager (SAM) Remote Protocol Specification (Client-to-Server)|MS-SAMR]

||Property||Value
|CN|[Pwd-Properties]
|Ldap-Display-Name|[pwdProperties]
|Size Integer|DOMAIN_PASSWORD_COMPLEX 1\\DOMAIN_PASSWORD_NO_ANON_CHANGE 2\\DOMAIN_PASSWORD_NO_CLEAR_CHANGE 4\\DOMAIN_LOCKOUT_ADMINS 8\\DOMAIN_PASSWORD_STORE_CLEARTEXT 16\\DOMAIN_REFUSE_PASSWORD_CHANGE 32
|Update Privilege|Domain administrator
|Update Frequency|When the [policy] for a user changes.
|Attribute-Id|[1.2.840.113556.1.4.93]
|System-Id-Guid|bf967a0b-0de6-11d0-a285-00aa003049e2
|Syntax|Enumeration!! Explanation of Bit Fields
||Property||Value||Description
|DOMAIN_PASSWORD_COMPLEX|1|[Windows Complexity|Windows Default Password Policy]
|DOMAIN_PASSWORD_NO_ANON_CHANGE|2|The [password] cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.
|DOMAIN_LOCKOUT_ADMINS|8|Allows the built-in administrator account to be locked out from network logons. 
|DOMAIN_PASSWORD_STORE_CLEARTEXT|16|Forces the client to use a [protocol] that __does not allow__ the [Domain Controller] to get the [plaintext] [password]. 
|DOMAIN_REFUSE_PASSWORD_CHANGE|32|Removes the requirement that the machine account password be automatically changed every week.\\This value should not be used as it can weaken security.

! Implementations
* [Windows Server 2000]
* [Windows Server 2003]
* [Windows Server 2003] R2
* [Windows Server 2008]!! Attribute Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [[1.2.840.113556.1.4.93]] 
* NAME: [{$pagename}]
* DESC: 
* [EQUALITY]: []
* [ORDERING]: []
* SYNTAX: []
* [SINGLE-VALUE]
* []
* USAGE [] 

!! Some Other Related Attributes
* [Minimum password length|minPwdLength]
* [Maximum password age|max-Pwd-Age Attribute]
* [Minimum password age|minPwdAge]
* [Enforce password history (by number of passwords remembered)|pwdHistoryLength]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>