2

I'm reviewing our complex password policy that was setup by a previous admin and I'm trying to gain some clarification on the setting for Reversible Encryption. In our organization, reversible encryption is not needed and should be disabled. When I review the GPO that's in place and I can see that for the setting:

Store passwords using reversible encryption: Not Defined

My understanding is that if it's set to 'Not Defined', then the default value is set to Disabled but maybe I'm incorrect on this. When I run rsop on my system, it reflects the Not Defined status.

Where I'm a bit confused though is when i run the PS cmdlet Get-ADDefaultDomainPasswordPolicy; I'm seeing the ReversibleEncryptionEnabled property as being set as True.

Shouldn't this be reflective of Disabled, per how my Password Policy GPO is configured?

030
  • 5,731
  • 12
  • 61
  • 107
Dave
  • 23
  • 3

1 Answers1

2

That means the setting was Enabled at one time, then changed to Not Configured.

You will need to change the setting to Disabled to revert back.

You may also want to enable the setting:

Administrative Templates > System > Group Policy Security Policy Processing: Process even if the group policy objects have not changed

And do the same for Registry Policy Processing if you want to make sure that settings are applied consistently.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81