Password Modify Operations

Active Directory provides the ability to change the password of a security principal (that is, the Windows password for that security principal) by performing LDAP Modify operations. The password change is modeled as an LDAP modify of either the unicodePwd or userPassword attribute of the security principal object. The difference between these two attributes is discussed in the sections that follow. However, regardless of whether the password is modified via unicodePwd or userPassword, the same attribute on the object is modified. If running as AD DS, both are treated like a write to the clearTextPassword attribute in [MS-SAMR] section If running as AD LDS, a write to userPassword updates unicodePwd.