Changing Active Directory Password Setting "Reversible Encryption" Effect on existing accounts

password active-directory

There is a setting in active directory password to turn on or off "reversible encryption". Currently I have this feature turned on, and I am planning to turn it off. What effect will this have on the existing accounts? Will they no longer be able to log in? Will they be forced to change their password on next login? What should I expect?


Nothing immediate will happen. The reversible password is stored separately from the normal password so the passwords will keep working.

I think starting with Windows 2008, if you disable this option then the domain controllers will wipe out the reversible passwords for all affected users. Prior to Windows 2008 the password would stick around until the user changes their password, at which time the reversible copy is deleted.


The passwords will continue to be stored using reversible encryption until that password is updated. All users will be able to log in.

What you should do is to change this setting and then expire everyone's passwords, so that they must change them, and thus have a non-reversible hash stored.

Related

How to save DHCP option 43 on Windows 2008 server?
Growing a RAID5 using mdadm with multiple drives?
Disabling CPU management
Port Forwarding with iptables is not working
Guaranteed recurrence in any finite system?
5 pears and 1 apple cost as much as 2 pears and 2 apples. If each apple costs $0.75,find the total cost of 100 pears and 450 apples.
When is the projection of an ellipsoid a circle?
Integral Involving Gaussian Q function and exponential
Solving Laplace's equation $\triangle u = 0$ in the semi-infinite strip $S = \{(x,y): 0 < x < 1, 0 < y\}$
Confusion about lift in the context of tangent bundle
Number of subgroups of order $2^n$ in the powerset equipped with symmetric difference
proof that a line XO, where X is equidistant from A,B,C is perpendicular to the plane P