Changing Active Directory Password Setting "Reversible Encryption" Effect on existing accounts
There is a setting in active directory password to turn on or off "reversible encryption". Currently I have this feature turned on, and I am planning to turn it off. What effect will this have on the existing accounts? Will they no longer be able to log in? Will they be forced to change their password on next login? What should I expect?
Nothing immediate will happen. The reversible password is stored separately from the normal password so the passwords will keep working.
I think starting with Windows 2008, if you disable this option then the domain controllers will wipe out the reversible passwords for all affected users. Prior to Windows 2008 the password would stick around until the user changes their password, at which time the reversible copy is deleted.
The passwords will continue to be stored using reversible encryption until that password is updated. All users will be able to log in.
What you should do is to change this setting and then expire everyone's passwords, so that they must change them, and thus have a non-reversible hash stored.