Password encryption

This policy controls whether password stored in AD is encrypted or not.

If you enable this policy, you MUST also specify encryption key key for password encryption. This is public key string returned by Get-AdmPwdPublicKey cmdlet.

If you disable or not configure this policy, passwords are stored in AD in clear text

IMPORTANT:
This policy allows to specify 2 types of encryption key:
- Legacy encrpytion key: CryptoAPI based key used by pre - 7.6.x.x versions of solution
- Encryption key: CNG based encryption key that is standard in solution version 7.6.x.x and newer

This allows for coexistence of older and newer clients

Note:
If you enable password encryption, make sure that configured password length does not exceed maximum length allowed by encryption algorithm. Maximum length of password depends on public key size and can be estimated based on table below:
Key Size Max password lenth
-------- ------------------
512 bits ... 11 chars
1024 bits ... 43 chars
2048 bits ... 107 chars
3192 bits ... 179 chars
4096 bits ... 471 chars

Note:
Encryption is considered FIPS compliant if key size is at least 2048 bits


Supported on: At least Windows Vista
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft Services\AdmPwd
Value NamePwdEncryptionEnabled
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Encryption key

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft Services\AdmPwd
Value NameEncryptionKey
Value TypeREG_SZ
Default Value
Legacy (CryptoAPI) encryption key

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft Services\AdmPwd
Value NamePublicKey
Value TypeREG_SZ
Default Value

admpwd.e.admx