USING ADSIEdit to change DOMAIN_PASSWORD_NO_CLEAR_CHANGE

[eric hela]

Hi good guys can some help me please. Sorry I have to repost this again to
this forum because I have not got any answer.

Our IT auditor recommended the "Prevent transfer to passwords in clear text"
and
"Password can not be changed without logging on". They said to implement
that using ADSIEdit but I don't know how to do that. I got into the
ADSIedit but don't know where to start. I have not used AdsiEdit before and
don't know where to modify.

Can someone help with me with the exact steps please? I have not found any
steps on the internet how to modify this.

thank you for your help

Eric

 

[Joe Richards [MVP]]

Microsoft purposely took the option to set "user must logon to change
password" away in the policy screens in Windows 2000. I don't recall the
details as that was forever ago but I believe it was because it caused
considerable issues.

I am not sure what your IT auditor means by the clear text statement.

Make them clarify the statements.

In general, I really don't recommend using ADSIEDIT to change policy
settings, if they can't be changed in the Group Policy screens then you
need to be careful.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[eric hela]

Thanks Joe,

I'm values are discussed on
http://windowssdk.msdn.microsoft.com/en-us/library/ms718417.aspx under
Domain Password information.
The passwordproperties I am referring to are:
DOMAIN_PASSWORD_NO_ANON_CHANGE
DOMAIN_PASSWORD_NO_CLEAR_CHANGE (0x00000004L)

I don't know how to get to that using ADSI.

If microsoft purposely took the options off it as Joe says has anyone have a
good reason why this would be so. I just need to convince my boss that that
is the case so and sometimes bosses all to hear from the auditors.

thanks

 

[Joe Richards [MVP]]

Ah I should have known... I know what you are talking about now.

Just the same, if the settings aren't exposed via the GUI, don't monkey
with them. I got some word back on changing passwords while not logged
in and one of the reasons is that this causes issues when an account is
expired.

I am trying to recall the details around NO_CLEAR as this stuff really
hasn't been much discussed since NT4 but if it is actually implemented,
I am not positive it is, it would break any complexity and length rules
you have in place because the DC wouldn't be able to validate.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[eric hela]

Thank you Joe. Very much appreciated.

Ah I should have known... I know what you are talking about now.

Just the same, if the settings aren't exposed via the GUI, don't monkey
with them. I got some word back on changing passwords while not logged in
and one of the reasons is that this causes issues when an account is
expired.

I am trying to recall the details around NO_CLEAR as this stuff really
hasn't been much discussed since NT4 but if it is actually implemented, I
am not positive it is, it would break any complexity and length rules you
have in place because the DC wouldn't be able to validate.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm