Understanding DOMAIN_PASSWORD_NO_ANON_CHANGE

  • Thread starter Thread starter hiteshrb
  • Start date Start date
H

hiteshrb

Hi All,

The DOMAIN_PASSWORD_NO_ANON_CHANGE bit in pwdProperties means "The
password cannot be changed without logging on". What are the
implications of this control? Does it mean that the password cannot be
changed by a Java application?

Thanks,
HB
 
It means passwords can't be changed anonymously, you have to have a
valid logon session. That means even if you know the old password to an
account you cannot change the password unless you are logged in.
Microsoft stopped exposing this setting with Windows 2000 as it can
break things. The specifics I don't recall but there was quite an uproar
about it back in about May/June of 2000 and MSFT explained why it needed
to be done.

My recommendation is to not futz around with it unless Microsoft
supplies a tool to do so.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
It might also break the functionality of changing the password during the
logon process, when a user is prompted "Your password will expire in xx
days, do you want to change?". This password change is performed before
logon is completed and is therefore done anonymously.


--
Kind regards,

Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================
 
Back
Top