Password encryption

This policy controls whether password stored in AD is encrypted or not.

If you enable this policy, you MUST also specify encryption key key for password encryption. This is public key string returned by Get-AdmPwdPublicKey cmdlet.

If you disable or not configure this policy, passwords are stored in AD in clear text

This policy allows to specify 2 types of encryption key:
- Legacy encryption key: CryptoAPI based key used by pre - 7.5.2.x versions of solution
- Encryption key: CNG based encryption key that is standard in solution version 7.5.2.x and newer

This allows for coexistence of older and newer clients

* Password length vs. encryption key length
If you enable password encryption, make sure that configured password length does not exceed maximum length allowed by encryption algorithm. Maximum length of password depends on public key size and can be estimated based on table below:
Key Size Max password lenth
-------- ------------------
512 bits ... 11 chars
1024 bits ... 43 chars
2048 bits ... 107 chars
3192 bits ... 179 chars
4096 bits ... 471 chars

* FIPS compliance
Encryption is considered FIPS compliant if key size is at least 2048 bits

Supported on: At least Windows Vista

Registry PathSoftware\Policies\Microsoft Services\AdmPwd
Value NamePwdEncryptionEnabled
Enabled Value1
Disabled Value0

Encryption key

Registry PathSoftware\Policies\Microsoft Services\AdmPwd
Value NameEncryptionKey
Value TypeREG_SZ
Default Value
Legacy (CryptoAPI) encryption key

Registry PathSoftware\Policies\Microsoft Services\AdmPwd
Value NamePublicKey
Value TypeREG_SZ
Default Value