Enable reversible encryption for a specific user.

S

study

Guest
The default domain policy's password policy has "enable reversible encrypted

password" disabled and since there can be only one account policy per domain,

this one takes precedence right?

I found this though "To enable reversibly encrypted passwords for a specific

user you can modify their User Properties -> Account options -> enable Store

Password using Reversible Encryption. You must then reset their password."

Does this work? I thought that the defaul domain policy's password policy

always takes precedence and will win if there's a conflict with another

setting such as this.

Thanks.

 
S

Steve Riley [MSFT]

Guest
Yes, you can enable this on a per-user basis as you describe.

What requires you to do this? Just curious...

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"study" <study@discussions.microsoft.com> wrote in message

news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...<span style="color:blue">

> The default domain policy's password policy has "enable reversible

> encrypted

> password" disabled and since there can be only one account policy per

> domain,

> this one takes precedence right?

>

> I found this though "To enable reversibly encrypted passwords for a

> specific

> user you can modify their User Properties -> Account options -> enable

> Store

> Password using Reversible Encryption. You must then reset their password."

> Does this work? I thought that the defaul domain policy's password policy

> always takes precedence and will win if there's a conflict with another

> setting such as this.

>

> Thanks. </span>

 
S

study

Guest
Thanks. Some legacy application needs it...

Since kerberos settings ex) Maximum lifetime for service ticket, Maximum

lifetime for user ticket renewal, and Maximum tolerance for computer clock

synchronization are part of the account policy, there can only be one

kerberos settings per domain right (usually set at the default domain policy)?

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> Yes, you can enable this on a per-user basis as you describe.

>

> What requires you to do this? Just curious...

>

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "study" <study@discussions.microsoft.com> wrote in message

> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...<span style="color:green">

> > The default domain policy's password policy has "enable reversible

> > encrypted

> > password" disabled and since there can be only one account policy per

> > domain,

> > this one takes precedence right?

> >

> > I found this though "To enable reversibly encrypted passwords for a

> > specific

> > user you can modify their User Properties -> Account options -> enable

> > Store

> > Password using Reversible Encryption. You must then reset their password."

> > Does this work? I thought that the defaul domain policy's password policy

> > always takes precedence and will win if there's a conflict with another

> > setting such as this.

> >

> > Thanks. </span>

> </span>

 
S

Steve Riley [MSFT]

Guest
The reversible encryption setting has nothing to do with Kerberos. You can

keep your domain policy at the default and enable per-user reversible

encryption on individual accounts.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"study" <study@discussions.microsoft.com> wrote in message

news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...<span style="color:blue">

> Thanks. Some legacy application needs it...

> Since kerberos settings ex) Maximum lifetime for service ticket, Maximum

> lifetime for user ticket renewal, and Maximum tolerance for computer clock

> synchronization are part of the account policy, there can only be one

> kerberos settings per domain right (usually set at the default domain

> policy)?

>

>

> "Steve Riley [MSFT]" wrote:

><span style="color:green">

>> Yes, you can enable this on a per-user basis as you describe.

>>

>> What requires you to do this? Just curious...

>>

>>

>> --

>> Steve Riley

>> steve.riley@microsoft.com

>> http://blogs.technet.com/steriley

>> http://www.protectyourwindowsnetwork.com

>>

>>

>>

>> "study" <study@discussions.microsoft.com> wrote in message

>> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...<span style="color:darkred">

>> > The default domain policy's password policy has "enable reversible

>> > encrypted

>> > password" disabled and since there can be only one account policy per

>> > domain,

>> > this one takes precedence right?

>> >

>> > I found this though "To enable reversibly encrypted passwords for a

>> > specific

>> > user you can modify their User Properties -> Account options -> enable

>> > Store

>> > Password using Reversible Encryption. You must then reset their

>> > password."

>> > Does this work? I thought that the defaul domain policy's password

>> > policy

>> > always takes precedence and will win if there's a conflict with another

>> > setting such as this.

>> >

>> > Thanks.</span>

>> </span></span>

 
S

study

Guest
I was asking whether kerberos settings were per domain based (one policy per

domain) as well...

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> The reversible encryption setting has nothing to do with Kerberos. You can

> keep your domain policy at the default and enable per-user reversible

> encryption on individual accounts.

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "study" <study@discussions.microsoft.com> wrote in message

> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...<span style="color:green">

> > Thanks. Some legacy application needs it...

> > Since kerberos settings ex) Maximum lifetime for service ticket, Maximum

> > lifetime for user ticket renewal, and Maximum tolerance for computer clock

> > synchronization are part of the account policy, there can only be one

> > kerberos settings per domain right (usually set at the default domain

> > policy)?

> >

> >

> > "Steve Riley [MSFT]" wrote:

> ><span style="color:darkred">

> >> Yes, you can enable this on a per-user basis as you describe.

> >>

> >> What requires you to do this? Just curious...

> >>

> >>

> >> --

> >> Steve Riley

> >> steve.riley@microsoft.com

> >> http://blogs.technet.com/steriley

> >> http://www.protectyourwindowsnetwork.com

> >>

> >>

> >>

> >> "study" <study@discussions.microsoft.com> wrote in message

> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...

> >> > The default domain policy's password policy has "enable reversible

> >> > encrypted

> >> > password" disabled and since there can be only one account policy per

> >> > domain,

> >> > this one takes precedence right?

> >> >

> >> > I found this though "To enable reversibly encrypted passwords for a

> >> > specific

> >> > user you can modify their User Properties -> Account options -> enable

> >> > Store

> >> > Password using Reversible Encryption. You must then reset their

> >> > password."

> >> > Does this work? I thought that the defaul domain policy's password

> >> > policy

> >> > always takes precedence and will win if there's a conflict with another

> >> > setting such as this.

> >> >

> >> > Thanks.

> >> </span></span></span>

 
S

Steve Riley [MSFT]

Guest
Ah. Yes, Kerberos policies are per-domain only.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"study" <study@discussions.microsoft.com> wrote in message

news:51EFC844-9DC0-4FEE-BF81-6F2A90962BFB@microsoft.com...<span style="color:blue">

> I was asking whether kerberos settings were per domain based (one policy

> per

> domain) as well...

>

>

> "Steve Riley [MSFT]" wrote:

><span style="color:green">

>> The reversible encryption setting has nothing to do with Kerberos. You

>> can

>> keep your domain policy at the default and enable per-user reversible

>> encryption on individual accounts.

>>

>> --

>> Steve Riley

>> steve.riley@microsoft.com

>> http://blogs.technet.com/steriley

>> http://www.protectyourwindowsnetwork.com

>>

>>

>>

>> "study" <study@discussions.microsoft.com> wrote in message

>> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...<span style="color:darkred">

>> > Thanks. Some legacy application needs it...

>> > Since kerberos settings ex) Maximum lifetime for service ticket,

>> > Maximum

>> > lifetime for user ticket renewal, and Maximum tolerance for computer

>> > clock

>> > synchronization are part of the account policy, there can only be one

>> > kerberos settings per domain right (usually set at the default domain

>> > policy)?

>> >

>> >

>> > "Steve Riley [MSFT]" wrote:

>> >

>> >> Yes, you can enable this on a per-user basis as you describe.

>> >>

>> >> What requires you to do this? Just curious...

>> >>

>> >>

>> >> --

>> >> Steve Riley

>> >> steve.riley@microsoft.com

>> >> http://blogs.technet.com/steriley

>> >> http://www.protectyourwindowsnetwork.com

>> >>

>> >>

>> >>

>> >> "study" <study@discussions.microsoft.com> wrote in message

>> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...

>> >> > The default domain policy's password policy has "enable reversible

>> >> > encrypted

>> >> > password" disabled and since there can be only one account policy

>> >> > per

>> >> > domain,

>> >> > this one takes precedence right?

>> >> >

>> >> > I found this though "To enable reversibly encrypted passwords for a

>> >> > specific

>> >> > user you can modify their User Properties -> Account options ->

>> >> > enable

>> >> > Store

>> >> > Password using Reversible Encryption. You must then reset their

>> >> > password."

>> >> > Does this work? I thought that the defaul domain policy's password

>> >> > policy

>> >> > always takes precedence and will win if there's a conflict with

>> >> > another

>> >> > setting such as this.

>> >> >

>> >> > Thanks.

>> >> </span></span></span>

 
You must log in or register to reply here.
Top Bottom