Enable reversible encryption for a specific user.

study · Jun 24, 2008

The default domain policy's password policy has "enable reversible encrypted
password" disabled and since there can be only one account policy per domain,
this one takes precedence right?

I found this though "To enable reversibly encrypted passwords for a specific
user you can modify their User Properties -> Account options -> enable Store
Password using Reversible Encryption. You must then reset their password."
Does this work? I thought that the defaul domain policy's password policy
always takes precedence and will win if there's a conflict with another
setting such as this.

Thanks.

Steve Riley [MSFT] · Jun 24, 2008

Yes, you can enable this on a per-user basis as you describe.

What requires you to do this? Just curious...

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"study" <study@discussions.microsoft.com> wrote in message
news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
> The default domain policy's password policy has "enable reversible
> encrypted
> password" disabled and since there can be only one account policy per
> domain,
> this one takes precedence right?
>
> I found this though "To enable reversibly encrypted passwords for a
> specific
> user you can modify their User Properties -> Account options -> enable
> Store
> Password using Reversible Encryption. You must then reset their password."
> Does this work? I thought that the defaul domain policy's password policy
> always takes precedence and will win if there's a conflict with another
> setting such as this.
>
> Thanks.

study · Jun 25, 2008

Thanks. Some legacy application needs it...
Since kerberos settings ex) Maximum lifetime for service ticket, Maximum
lifetime for user ticket renewal, and Maximum tolerance for computer clock
synchronization are part of the account policy, there can only be one
kerberos settings per domain right (usually set at the default domain policy)?

"Steve Riley [MSFT]" wrote:

> Yes, you can enable this on a per-user basis as you describe.
>
> What requires you to do this? Just curious...
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
> > The default domain policy's password policy has "enable reversible
> > encrypted
> > password" disabled and since there can be only one account policy per
> > domain,
> > this one takes precedence right?
> >
> > I found this though "To enable reversibly encrypted passwords for a
> > specific
> > user you can modify their User Properties -> Account options -> enable
> > Store
> > Password using Reversible Encryption. You must then reset their password."
> > Does this work? I thought that the defaul domain policy's password policy
> > always takes precedence and will win if there's a conflict with another
> > setting such as this.
> >
> > Thanks.
>

Steve Riley [MSFT] · Jun 25, 2008

The reversible encryption setting has nothing to do with Kerberos. You can
keep your domain policy at the default and enable per-user reversible
encryption on individual accounts.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"study" <study@discussions.microsoft.com> wrote in message
news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...
> Thanks. Some legacy application needs it...
> Since kerberos settings ex) Maximum lifetime for service ticket, Maximum
> lifetime for user ticket renewal, and Maximum tolerance for computer clock
> synchronization are part of the account policy, there can only be one
> kerberos settings per domain right (usually set at the default domain
> policy)?
>
>
> "Steve Riley [MSFT]" wrote:
>
>> Yes, you can enable this on a per-user basis as you describe.
>>
>> What requires you to do this? Just curious...
>>
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
>> > The default domain policy's password policy has "enable reversible
>> > encrypted
>> > password" disabled and since there can be only one account policy per
>> > domain,
>> > this one takes precedence right?
>> >
>> > I found this though "To enable reversibly encrypted passwords for a
>> > specific
>> > user you can modify their User Properties -> Account options -> enable
>> > Store
>> > Password using Reversible Encryption. You must then reset their
>> > password."
>> > Does this work? I thought that the defaul domain policy's password
>> > policy
>> > always takes precedence and will win if there's a conflict with another
>> > setting such as this.
>> >
>> > Thanks.
>>

study · Jun 25, 2008

I was asking whether kerberos settings were per domain based (one policy per
domain) as well...

"Steve Riley [MSFT]" wrote:

> The reversible encryption setting has nothing to do with Kerberos. You can
> keep your domain policy at the default and enable per-user reversible
> encryption on individual accounts.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...
> > Thanks. Some legacy application needs it...
> > Since kerberos settings ex) Maximum lifetime for service ticket, Maximum
> > lifetime for user ticket renewal, and Maximum tolerance for computer clock
> > synchronization are part of the account policy, there can only be one
> > kerberos settings per domain right (usually set at the default domain
> > policy)?
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Yes, you can enable this on a per-user basis as you describe.
> >>
> >> What requires you to do this? Just curious...
> >>
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "study" <study@discussions.microsoft.com> wrote in message
> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
> >> > The default domain policy's password policy has "enable reversible
> >> > encrypted
> >> > password" disabled and since there can be only one account policy per
> >> > domain,
> >> > this one takes precedence right?
> >> >
> >> > I found this though "To enable reversibly encrypted passwords for a
> >> > specific
> >> > user you can modify their User Properties -> Account options -> enable
> >> > Store
> >> > Password using Reversible Encryption. You must then reset their
> >> > password."
> >> > Does this work? I thought that the defaul domain policy's password
> >> > policy
> >> > always takes precedence and will win if there's a conflict with another
> >> > setting such as this.
> >> >
> >> > Thanks.
> >>

Steve Riley [MSFT] · Jun 25, 2008

Ah. Yes, Kerberos policies are per-domain only.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"study" <study@discussions.microsoft.com> wrote in message
news:51EFC844-9DC0-4FEE-BF81-6F2A90962BFB@microsoft.com...
> I was asking whether kerberos settings were per domain based (one policy
> per
> domain) as well...
>
>
> "Steve Riley [MSFT]" wrote:
>
>> The reversible encryption setting has nothing to do with Kerberos. You
>> can
>> keep your domain policy at the default and enable per-user reversible
>> encryption on individual accounts.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...
>> > Thanks. Some legacy application needs it...
>> > Since kerberos settings ex) Maximum lifetime for service ticket,
>> > Maximum
>> > lifetime for user ticket renewal, and Maximum tolerance for computer
>> > clock
>> > synchronization are part of the account policy, there can only be one
>> > kerberos settings per domain right (usually set at the default domain
>> > policy)?
>> >
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> Yes, you can enable this on a per-user basis as you describe.
>> >>
>> >> What requires you to do this? Just curious...
>> >>
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >>
>> >> "study" <study@discussions.microsoft.com> wrote in message
>> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
>> >> > The default domain policy's password policy has "enable reversible
>> >> > encrypted
>> >> > password" disabled and since there can be only one account policy
>> >> > per
>> >> > domain,
>> >> > this one takes precedence right?
>> >> >
>> >> > I found this though "To enable reversibly encrypted passwords for a
>> >> > specific
>> >> > user you can modify their User Properties -> Account options ->
>> >> > enable
>> >> > Store
>> >> > Password using Reversible Encryption. You must then reset their
>> >> > password."
>> >> > Does this work? I thought that the defaul domain policy's password
>> >> > policy
>> >> > always takes precedence and will win if there's a conflict with
>> >> > another
>> >> > setting such as this.
>> >> >
>> >> > Thanks.
>> >>