Enable reversible encryption for a specific user.

S

study

The default domain policy's password policy has "enable reversible encrypted
password" disabled and since there can be only one account policy per domain,
this one takes precedence right?

I found this though "To enable reversibly encrypted passwords for a specific
user you can modify their User Properties -> Account options -> enable Store
Password using Reversible Encryption. You must then reset their password."
Does this work? I thought that the defaul domain policy's password policy
always takes precedence and will win if there's a conflict with another
setting such as this.

Thanks.
 
S

Steve Riley [MSFT]

Yes, you can enable this on a per-user basis as you describe.

What requires you to do this? Just curious...


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"study" <study@discussions.microsoft.com> wrote in message
news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
> The default domain policy's password policy has "enable reversible
> encrypted
> password" disabled and since there can be only one account policy per
> domain,
> this one takes precedence right?
>
> I found this though "To enable reversibly encrypted passwords for a
> specific
> user you can modify their User Properties -> Account options -> enable
> Store
> Password using Reversible Encryption. You must then reset their password."
> Does this work? I thought that the defaul domain policy's password policy
> always takes precedence and will win if there's a conflict with another
> setting such as this.
>
> Thanks.
 
S

study

Thanks. Some legacy application needs it...
Since kerberos settings ex) Maximum lifetime for service ticket, Maximum
lifetime for user ticket renewal, and Maximum tolerance for computer clock
synchronization are part of the account policy, there can only be one
kerberos settings per domain right (usually set at the default domain policy)?


"Steve Riley [MSFT]" wrote:

> Yes, you can enable this on a per-user basis as you describe.
>
> What requires you to do this? Just curious...
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
> > The default domain policy's password policy has "enable reversible
> > encrypted
> > password" disabled and since there can be only one account policy per
> > domain,
> > this one takes precedence right?
> >
> > I found this though "To enable reversibly encrypted passwords for a
> > specific
> > user you can modify their User Properties -> Account options -> enable
> > Store
> > Password using Reversible Encryption. You must then reset their password."
> > Does this work? I thought that the defaul domain policy's password policy
> > always takes precedence and will win if there's a conflict with another
> > setting such as this.
> >
> > Thanks.
>
 
S

Steve Riley [MSFT]

The reversible encryption setting has nothing to do with Kerberos. You can
keep your domain policy at the default and enable per-user reversible
encryption on individual accounts.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"study" <study@discussions.microsoft.com> wrote in message
news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...
> Thanks. Some legacy application needs it...
> Since kerberos settings ex) Maximum lifetime for service ticket, Maximum
> lifetime for user ticket renewal, and Maximum tolerance for computer clock
> synchronization are part of the account policy, there can only be one
> kerberos settings per domain right (usually set at the default domain
> policy)?
>
>
> "Steve Riley [MSFT]" wrote:
>
>> Yes, you can enable this on a per-user basis as you describe.
>>
>> What requires you to do this? Just curious...
>>
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
>> > The default domain policy's password policy has "enable reversible
>> > encrypted
>> > password" disabled and since there can be only one account policy per
>> > domain,
>> > this one takes precedence right?
>> >
>> > I found this though "To enable reversibly encrypted passwords for a
>> > specific
>> > user you can modify their User Properties -> Account options -> enable
>> > Store
>> > Password using Reversible Encryption. You must then reset their
>> > password."
>> > Does this work? I thought that the defaul domain policy's password
>> > policy
>> > always takes precedence and will win if there's a conflict with another
>> > setting such as this.
>> >
>> > Thanks.
>>
 
S

study

I was asking whether kerberos settings were per domain based (one policy per
domain) as well...


"Steve Riley [MSFT]" wrote:

> The reversible encryption setting has nothing to do with Kerberos. You can
> keep your domain policy at the default and enable per-user reversible
> encryption on individual accounts.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...
> > Thanks. Some legacy application needs it...
> > Since kerberos settings ex) Maximum lifetime for service ticket, Maximum
> > lifetime for user ticket renewal, and Maximum tolerance for computer clock
> > synchronization are part of the account policy, there can only be one
> > kerberos settings per domain right (usually set at the default domain
> > policy)?
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Yes, you can enable this on a per-user basis as you describe.
> >>
> >> What requires you to do this? Just curious...
> >>
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "study" <study@discussions.microsoft.com> wrote in message
> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
> >> > The default domain policy's password policy has "enable reversible
> >> > encrypted
> >> > password" disabled and since there can be only one account policy per
> >> > domain,
> >> > this one takes precedence right?
> >> >
> >> > I found this though "To enable reversibly encrypted passwords for a
> >> > specific
> >> > user you can modify their User Properties -> Account options -> enable
> >> > Store
> >> > Password using Reversible Encryption. You must then reset their
> >> > password."
> >> > Does this work? I thought that the defaul domain policy's password
> >> > policy
> >> > always takes precedence and will win if there's a conflict with another
> >> > setting such as this.
> >> >
> >> > Thanks.
> >>
 
S

Steve Riley [MSFT]

Ah. Yes, Kerberos policies are per-domain only.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"study" <study@discussions.microsoft.com> wrote in message
news:51EFC844-9DC0-4FEE-BF81-6F2A90962BFB@microsoft.com...
> I was asking whether kerberos settings were per domain based (one policy
> per
> domain) as well...
>
>
> "Steve Riley [MSFT]" wrote:
>
>> The reversible encryption setting has nothing to do with Kerberos. You
>> can
>> keep your domain policy at the default and enable per-user reversible
>> encryption on individual accounts.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:CFAE46D1-D21E-489E-ABB9-2A9893458AA4@microsoft.com...
>> > Thanks. Some legacy application needs it...
>> > Since kerberos settings ex) Maximum lifetime for service ticket,
>> > Maximum
>> > lifetime for user ticket renewal, and Maximum tolerance for computer
>> > clock
>> > synchronization are part of the account policy, there can only be one
>> > kerberos settings per domain right (usually set at the default domain
>> > policy)?
>> >
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> Yes, you can enable this on a per-user basis as you describe.
>> >>
>> >> What requires you to do this? Just curious...
>> >>
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >>
>> >> "study" <study@discussions.microsoft.com> wrote in message
>> >> news:262DADC8-6924-46C6-AB67-29B51E030B60@microsoft.com...
>> >> > The default domain policy's password policy has "enable reversible
>> >> > encrypted
>> >> > password" disabled and since there can be only one account policy
>> >> > per
>> >> > domain,
>> >> > this one takes precedence right?
>> >> >
>> >> > I found this though "To enable reversibly encrypted passwords for a
>> >> > specific
>> >> > user you can modify their User Properties -> Account options ->
>> >> > enable
>> >> > Store
>> >> > Password using Reversible Encryption. You must then reset their
>> >> > password."
>> >> > Does this work? I thought that the defaul domain policy's password
>> >> > policy
>> >> > always takes precedence and will win if there's a conflict with
>> >> > another
>> >> > setting such as this.
>> >> >
>> >> > Thanks.
>> >>
 
You must log in or register to reply here.

Similar threads

P
Is it possible to enable encryption and other essential features without a microsoft account? Machine has no network.
Replies
0
Views
60
Paul Pine
P
A
  • Article
Announcing Windows 11 Insider Preview Build 27695 (Canary Channel)
Replies
0
Views
67
Amanda Langowski
A
P
  • Article
Update on the Recall preview feature for Copilot+ PCs
Replies
0
Views
62
Pavan Davuluri
P
D
  • Article
Update on Recall security and privacy architecture
Replies
0
Views
47
David Weston, Vice President Enterprise and OS
D
E
How to create a user profile without logging in?
Replies
0
Views
107
ElvinMammadov3
E
Back
Top Bottom