User-Password attribute
Applies to: desktop apps only
The user's password in UTF-8 format. This is a write-only attribute.
| CN | User-Password |
|---|---|
| Ldap-Display-Name | userPassword |
| Size | - |
| Update Privilege | Domain administrator or account owner. |
| Update Frequency | - |
| Attribute-Id | 2.5.4.35 |
| System-Id-Guid | bf967a6e-0de6-11d0-a285-00aa003049e2 |
| Syntax | Object(Replica-Link) |
Implementations
- Windows 2000 Server
- Windows Server 2003
- ADAM
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 8 Beta
Windows 2000 Server
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-UnitPerson |
Windows Server 2003
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-UnitPersonsimpleSecurityObject |
ADAM
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-Unit |
Windows Server 2003 R2
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-UnitPersonsimpleSecurityObjectposixAccountshadowAccountposixGroup |
Windows Server 2008
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-UnitPersonsimpleSecurityObjectposixAccountshadowAccountposixGroup |
Windows Server 2008 R2
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-UnitPersonsimpleSecurityObjectposixAccountshadowAccountposixGroup |
Windows Server 8 Beta
| Link-Id | - |
|---|---|
| MAPI-Id | 0x8153 |
| System-Only | False |
| Is-Single-Valued | False |
| Is Indexed | False |
| In Global Catalog | False |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | 1 |
| Range-Upper | 128 |
| Search-Flags | 0x00000000 |
| System-Flags | 0x00000010 |
| Classes used in | OrganizationOrganizational-UnitPersonsimpleSecurityObjectposixAccountshadowAccountposixGroup |
Send comments about this topic to Microsoft
Build date: 2/3/2012
Additional information
By default userpassword is just an attribute and Windows does not do anything to protect it. If the attributes is stand-alone and not liked to unicodePWD, then it is up to the application as to how the data is stored or encrypted.
http://msdn.microsoft.com/en-us/library/cc200470(PROT.10).aspx
Active Directory supports modifying passwords on objects via the userPassword attribute, provided that
(1) either the DC is running as AD LDS, or the DC is running as AD DS and the domain functional level is DS_BEHAVIOR_WIN2003 or greater,
and (2) fUserPwdSupport is true in the dSHeuristics attribute (section 7.1.1.2.4.1.2).
If fUserPwdSupport is false, the userPassword attribute is treated as an ordinary attribute and has no special semantics associated with it. If fUserPwdSupport is true but the DC is running as AD DS and the domain functional level is less than DS_BEHAVIOR_WIN2003, the DC fails the operation with the error constraintViolation.
http://msdn.microsoft.com/en-us/library/cc200470(PROT.10).aspx
Active Directory supports modifying passwords on objects via the userPassword attribute, provided that
(1) either the DC is running as AD LDS, or the DC is running as AD DS and the domain functional level is DS_BEHAVIOR_WIN2003 or greater,
and (2) fUserPwdSupport is true in the dSHeuristics attribute (section 7.1.1.2.4.1.2).
If fUserPwdSupport is false, the userPassword attribute is treated as an ordinary attribute and has no special semantics associated with it. If fUserPwdSupport is true but the DC is running as AD DS and the domain functional level is less than DS_BEHAVIOR_WIN2003, the DC fails the operation with the error constraintViolation.
- 9/1/2011
- rstamp
