Guest study Posted June 24, 2008 Posted June 24, 2008 The default domain policy's password policy has "enable reversible encrypted password" disabled and since there can be only one account policy per domain, this one takes precedence right? I found this though "To enable reversibly encrypted passwords for a specific user you can modify their User Properties -> Account options -> enable Store Password using Reversible Encryption. You must then reset their password." Does this work? I thought that the defaul domain policy's password policy always takes precedence and will win if there's a conflict with another setting such as this. Thanks. Quote
Guest Steve Riley [MSFT] Posted June 25, 2008 Posted June 25, 2008 Yes, you can enable this on a per-user basis as you describe. What requires you to do this? Just curious... -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "study" <study@discussions.microsoft.com> wrote in message news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...<span style="color:blue"> > The default domain policy's password policy has "enable reversible > encrypted > password" disabled and since there can be only one account policy per > domain, > this one takes precedence right? > > I found this though "To enable reversibly encrypted passwords for a > specific > user you can modify their User Properties -> Account options -> enable > Store > Password using Reversible Encryption. You must then reset their password." > Does this work? I thought that the defaul domain policy's password policy > always takes precedence and will win if there's a conflict with another > setting such as this. > > Thanks. </span> Quote
Guest study Posted June 25, 2008 Posted June 25, 2008 Thanks. Some legacy application needs it... Since kerberos settings ex) Maximum lifetime for service ticket, Maximum lifetime for user ticket renewal, and Maximum tolerance for computer clock synchronization are part of the account policy, there can only be one kerberos settings per domain right (usually set at the default domain policy)? "Steve Riley [MSFT]" wrote: <span style="color:blue"> > Yes, you can enable this on a per-user basis as you describe. > > What requires you to do this? Just curious... > > > -- > Steve Riley > steve.riley@microsoft.com > http://blogs.technet.com/steriley > http://www.protectyourwindowsnetwork.com > > > > "study" <study@discussions.microsoft.com> wrote in message > news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...<span style="color:green"> > > The default domain policy's password policy has "enable reversible > > encrypted > > password" disabled and since there can be only one account policy per > > domain, > > this one takes precedence right? > > > > I found this though "To enable reversibly encrypted passwords for a > > specific > > user you can modify their User Properties -> Account options -> enable > > Store > > Password using Reversible Encryption. You must then reset their password." > > Does this work? I thought that the defaul domain policy's password policy > > always takes precedence and will win if there's a conflict with another > > setting such as this. > > > > Thanks. </span> > </span> Quote
Guest Steve Riley [MSFT] Posted June 25, 2008 Posted June 25, 2008 The reversible encryption setting has nothing to do with Kerberos. You can keep your domain policy at the default and enable per-user reversible encryption on individual accounts. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "study" <study@discussions.microsoft.com> wrote in message news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...<span style="color:blue"> > Thanks. Some legacy application needs it... > Since kerberos settings ex) Maximum lifetime for service ticket, Maximum > lifetime for user ticket renewal, and Maximum tolerance for computer clock > synchronization are part of the account policy, there can only be one > kerberos settings per domain right (usually set at the default domain > policy)? > > > "Steve Riley [MSFT]" wrote: ><span style="color:green"> >> Yes, you can enable this on a per-user basis as you describe. >> >> What requires you to do this? Just curious... >> >> >> -- >> Steve Riley >> steve.riley@microsoft.com >> http://blogs.technet.com/steriley >> http://www.protectyourwindowsnetwork.com >> >> >> >> "study" <study@discussions.microsoft.com> wrote in message >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...<span style="color:darkred"> >> > The default domain policy's password policy has "enable reversible >> > encrypted >> > password" disabled and since there can be only one account policy per >> > domain, >> > this one takes precedence right? >> > >> > I found this though "To enable reversibly encrypted passwords for a >> > specific >> > user you can modify their User Properties -> Account options -> enable >> > Store >> > Password using Reversible Encryption. You must then reset their >> > password." >> > Does this work? I thought that the defaul domain policy's password >> > policy >> > always takes precedence and will win if there's a conflict with another >> > setting such as this. >> > >> > Thanks.</span> >> </span></span> Quote
Guest study Posted June 26, 2008 Posted June 26, 2008 I was asking whether kerberos settings were per domain based (one policy per domain) as well... "Steve Riley [MSFT]" wrote: <span style="color:blue"> > The reversible encryption setting has nothing to do with Kerberos. You can > keep your domain policy at the default and enable per-user reversible > encryption on individual accounts. > > -- > Steve Riley > steve.riley@microsoft.com > http://blogs.technet.com/steriley > http://www.protectyourwindowsnetwork.com > > > > "study" <study@discussions.microsoft.com> wrote in message > news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...<span style="color:green"> > > Thanks. Some legacy application needs it... > > Since kerberos settings ex) Maximum lifetime for service ticket, Maximum > > lifetime for user ticket renewal, and Maximum tolerance for computer clock > > synchronization are part of the account policy, there can only be one > > kerberos settings per domain right (usually set at the default domain > > policy)? > > > > > > "Steve Riley [MSFT]" wrote: > ><span style="color:darkred"> > >> Yes, you can enable this on a per-user basis as you describe. > >> > >> What requires you to do this? Just curious... > >> > >> > >> -- > >> Steve Riley > >> steve.riley@microsoft.com > >> http://blogs.technet.com/steriley > >> http://www.protectyourwindowsnetwork.com > >> > >> > >> > >> "study" <study@discussions.microsoft.com> wrote in message > >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com... > >> > The default domain policy's password policy has "enable reversible > >> > encrypted > >> > password" disabled and since there can be only one account policy per > >> > domain, > >> > this one takes precedence right? > >> > > >> > I found this though "To enable reversibly encrypted passwords for a > >> > specific > >> > user you can modify their User Properties -> Account options -> enable > >> > Store > >> > Password using Reversible Encryption. You must then reset their > >> > password." > >> > Does this work? I thought that the defaul domain policy's password > >> > policy > >> > always takes precedence and will win if there's a conflict with another > >> > setting such as this. > >> > > >> > Thanks. > >> </span></span></span> Quote
Guest Steve Riley [MSFT] Posted June 26, 2008 Posted June 26, 2008 Ah. Yes, Kerberos policies are per-domain only. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "study" <study@discussions.microsoft.com> wrote in message news:51EFC844-9DC0-4FEE-BF81-6F2A90962BFB@microsoft.com...<span style="color:blue"> > I was asking whether kerberos settings were per domain based (one policy > per > domain) as well... > > > "Steve Riley [MSFT]" wrote: ><span style="color:green"> >> The reversible encryption setting has nothing to do with Kerberos. You >> can >> keep your domain policy at the default and enable per-user reversible >> encryption on individual accounts. >> >> -- >> Steve Riley >> steve.riley@microsoft.com >> http://blogs.technet.com/steriley >> http://www.protectyourwindowsnetwork.com >> >> >> >> "study" <study@discussions.microsoft.com> wrote in message >> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...<span style="color:darkred"> >> > Thanks. Some legacy application needs it... >> > Since kerberos settings ex) Maximum lifetime for service ticket, >> > Maximum >> > lifetime for user ticket renewal, and Maximum tolerance for computer >> > clock >> > synchronization are part of the account policy, there can only be one >> > kerberos settings per domain right (usually set at the default domain >> > policy)? >> > >> > >> > "Steve Riley [MSFT]" wrote: >> > >> >> Yes, you can enable this on a per-user basis as you describe. >> >> >> >> What requires you to do this? Just curious... >> >> >> >> >> >> -- >> >> Steve Riley >> >> steve.riley@microsoft.com >> >> http://blogs.technet.com/steriley >> >> http://www.protectyourwindowsnetwork.com >> >> >> >> >> >> >> >> "study" <study@discussions.microsoft.com> wrote in message >> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com... >> >> > The default domain policy's password policy has "enable reversible >> >> > encrypted >> >> > password" disabled and since there can be only one account policy >> >> > per >> >> > domain, >> >> > this one takes precedence right? >> >> > >> >> > I found this though "To enable reversibly encrypted passwords for a >> >> > specific >> >> > user you can modify their User Properties -> Account options -> >> >> > enable >> >> > Store >> >> > Password using Reversible Encryption. You must then reset their >> >> > password." >> >> > Does this work? I thought that the defaul domain policy's password >> >> > policy >> >> > always takes precedence and will win if there's a conflict with >> >> > another >> >> > setting such as this. >> >> > >> >> > Thanks. >> >> </span></span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.