This policy controls whether password stored in AD is encrypted or not.
If you enable this policy, you MUST also specify encryption key key for password encryption. This is public key string returned by Get-AdmPwdPublicKey cmdlet.
If you disable or not configure this policy, passwords are stored in AD in clear text
IMPORTANT:
This policy allows to specify 2 types of encryption key:
- Legacy encryption key: CryptoAPI based key used by pre - 7.5.2.x versions of solution
- Encryption key: CNG based encryption key that is standard in solution version 7.5.2.x and newer
This allows for coexistence of older and newer clients
REMARKS
* Password length vs. encryption key length
-----------------------------------------
If you enable password encryption, make sure that configured password length does not exceed maximum length allowed by encryption algorithm. Maximum length of password depends on public key size and can be estimated based on table below:
Key Size Max password lenth
-------- ------------------
512 bits ... 11 chars
1024 bits ... 43 chars
2048 bits ... 107 chars
3192 bits ... 179 chars
4096 bits ... 471 chars
* FIPS compliance
---------------
Encryption is considered FIPS compliant if key size is at least 2048 bits
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft Services\AdmPwd |
Value Name | PwdEncryptionEnabled |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft Services\AdmPwd |
Value Name | EncryptionKey |
Value Type | REG_SZ |
Default Value |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft Services\AdmPwd |
Value Name | PublicKey |
Value Type | REG_SZ |
Default Value |