3.1.1.5 Password Settings Attributes for Originating Update Constraints

The following computed attributes are defined for each user object. These attributes are read-only.

Effective-LockoutObservationWindow: A 64-bit value with delta time syntax, indicating the time period in which bad password attempts are counted without resetting the count to zero.

Effective-LockoutDuration: A 64-bit value with delta time syntax, indicating the duration for which an account is locked out before being automatically reset to an unlocked state.

Effective-LockoutThreshold: A 16-bit unsigned integer indicating the number of bad password attempts within an Effective-LockoutObservationWindow that will cause an account to be locked out.

Effective-MaximumPasswordAge: A 64-bit value with delta time syntax, indicating the policy setting for the maximum time allowed before a password reset or change is required.

Effective-MinimumPasswordAge: A 64-bit value with delta time syntax, indicating the policy setting for the minimum time allowed before a password change operation is allowed.

Effective-MinimumPasswordLength: A 16-bit unsigned integer indicating the policy setting for the minimum number of characters allowed in a password.

Effective-PasswordComplexityEnabled: A Boolean value indicating that password complexity rules (as defined in section 3.1.1.7.1) are enabled for the user.

Effective-PasswordHistoryLength: A 16-bit unsigned integer indicating the policy setting for the password history length.

Effective-PasswordReversibleEncryptionEnabled: A Boolean value indicating that the user's cleartext password is to be stored in the supplementalCredentials attribute, as defined in section 3.1.1.8.11.

The values for these attributes on user objects are computed according to the following algorithm:

  1. If the server is in a DC configuration and the msDS-ResultantPSO computed attribute (as specified in [MS-ADTS] section 3.1.1.4.5.36) on the user object has value O, values are calculated as follows using attribute values on object O:<27>

    1. Effective-LockoutObservationWindow = msDS-LockoutObservationWindow

    2. Effective-LockoutDuration = msDS-LockoutDuration

    3. Effective-LockoutThreshold = msDS-LockoutThreshold

    4. Effective-MaximumPasswordAge = msDS-MaximumPasswordAge

    5. Effective-MinimumPasswordAge = msDS-MinimumPasswordAge

    6. Effective-MinimumPasswordLength = msDS-MinimumPasswordLength

    7. Effective-PasswordComplexityEnabled = msDS-PasswordComplexityEnabled

    8. Effective-PasswordHistoryLength = msDS-PasswordHistoryLength

    9. Effective-PasswordReversibleEncryptionEnabled = true if either of the following is true:

      • The value of msDS-PasswordReversibleEncryptionEnabled is true.

      • pwdProperties on the domain object contains DOMAIN_PASSWORD_STORE_CLEARTEXT.

        Otherwise, false.

  2. Otherwise, values are calculated as follows using attribute values on the domain object:

    1. Effective-LockoutObservationWindow = lockOutObservationWindow on the domain object.

    2. Effective-LockoutDuration = lockoutDuration on the domain object.

    3. Effective-LockoutThreshold = lockoutThreshold on the domain object.

    4. Effective-MaximumPasswordAge = maxPwdAge on the domain object.

    5. Effective-MinimumPasswordAge = minPwdAge on the domain object.

    6. Effective-MinimumPasswordLength = minPwdLength on the domain object.

    7. Effective-PasswordComplexityEnabled = true if pwdProperties on the domain object contains DOMAIN_PASSWORD_COMPLEX; otherwise, false.

    8. Effective-PasswordHistoryLength = pwdHistoryLength on the domain object.

    9. Effective-PasswordReversibleEncryptionEnabled = true if pwdProperties on the domain object contains DOMAIN_PASSWORD_STORE_CLEARTEXT; otherwise, false.