Export (0) Print
Expand All

3.1.1.8.5 clearTextPassword

  1. If the pwdProperties attribute value on the account domain object contains the DOMAIN_PASSWORD_NO_CLEAR_CHANGE bit, the server MUST abort the request and return an error status.

  2. If the RID of the objectSid attribute is DOMAIN_USER_RID_KRBTGT and the requesting protocol is a change-password protocol, the server MUST abort the request and return an error status.

  3. If the RID of the objectSid attribute is DOMAIN_USER_RID_KRBTGT and the requesting protocol is a set-password protocol, the value of clearTextPassword MUST be replaced with a randomly generated value that satisfies all criteria in section 3.1.1.7.2.

  4. The constraints in section 3.1.1.7.2 MUST be satisfied.

  5. The unicodePwd attribute MUST be updated with the NT hash of new value.

  6. The dBCSPwd attribute MUST be updated with the LM hash of new value.

  7. On a DC configuration, the supplementalCredentials attribute MUST be updated with the cleartext value (see section 3.1.1.8.11 for processing details on how supplementalCredentials is updated).

 
Show:
© 2015 Microsoft