CHAP and Reverse Encryption Password Policy (289884)

MORE INFORMATION

This article is designed to clarify information that is located in the following reference materials:

The Windows 2000 Server Resource Kit in the following location:
Windows 2000 Server Resource Kit\Internetworking guide\Remote Access\Internet Authentication Service\IAS Authentication\Authentication Methods (Enabling CHAP)
Internet Authentication Service for Windows 2000 White Paper.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
254172 Enabling the Challenge Handshake Authentication Protocol

Each document provides a step-by-step process to configure Windows 2000 to enable the CHAP authentication protocol; however, the statement about the Reverse Encryption password configuration that is included in each of these materials is incorrect. The following information is a correction of these materials.

CHAP Information Correction

In Windows 2000 domains, you can only set the Reverse Encryption password setting at the user level or at the domain level by using the domain Group Policy (GP):

User Level

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the Users folder under the domain node, and then click Properties.
Click the Account tab to find the setting.

Domain Level Through the Domain Group Policy

You cannot use the GP at the Organizational Unit (OU) level; Go to the following location in the domain GP to find the setting:

Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain

You can only set all account policies at the domain level. If they are set at the OU level, they are ignored. For more details about this behavior, please refer to the following resources: