Brent,
I don't think it's a good idea to store reversibly encrypted passwords
in AD, especially since they get replicated to DCs which you not be able
to physically secure.
However, you can use the password filter DLL to intercept password changes,
and dynamically store the new passwords away
-
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Wilhelm, Brent
[mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 7:02
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] -
reverse encryption of ad passwords
Hey
everybody
Seielstad
[mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27,
2003 7:02 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] - reverse encryption of ad passwords
Well, Win2k and later include the Internet Authentication Service,
which IS RADIUS for Windows using AD as the database. I believe
ailto:[EMAIL PROTECTED] On Behalf Of Wilhelm,
BrentSent: Tuesday, August 26, 2003 6:02 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] - reverse encryption
of ad passwords
Hey
everybody,
Our network engineer is pushing us to turn on reverse encryption at the root
level so that he can stand up a
Rick,
Thanks for the info, I will look into it
ASAP.
Brent
-Original Message-
From: Rick Kingslan
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003
9:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] - reverse
encryption of ad passwords
Brent,
I can't
Hey
everybody,
Our
network engineer is pushing us to turn on reverse encryption at the root level
so that he can stand up a third party radius server against it.
Everything
that my guys (server guys) have found says not to do it unless you absolutely have
to because it stores
