Microsoft small business knowledge base

Article ID: 289884 - Last Review: October 26, 2013 - Revision: 4.0

This article was previously published under Q289884
This article has been archived. It is offered "as is" and will no longer be updated.

On This Page


You cannot configure the Reverse Encryption password setting that is required for the Challenge Handshake Authentication Protocol (CHAP) at the Organizational Unit (OU) level.

More information

This article is designed to clarify information that is located in the following reference materials:
  • The Windows 2000 Server Resource Kit in the following location:
    Windows 2000 Server Resource Kit\Internetworking guide\Remote Access\Internet Authentication Service\IAS Authentication\Authentication Methods (Enabling CHAP)
  • Internet Authentication Service for Windows 2000 White Paper.
  • For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    254172  ( ) Enabling the Challenge Handshake Authentication Protocol
Each document provides a step-by-step process to configure Windows 2000 to enable the CHAP authentication protocol; however, the statement about the Reverse Encryption password configuration that is included in each of these materials is incorrect. The following information is a correction of these materials.

CHAP Information Correction

In Windows 2000 domains, you can only set the Reverse Encryption password setting at the user level or at the domain level by using the domain Group Policy (GP):

User Level

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the Users folder under the domain node, and then click Properties.
  3. Click the Account tab to find the setting.

Domain Level Through the Domain Group Policy

You cannot use the GP at the Organizational Unit (OU) level; Go to the following location in the domain GP to find the setting:
Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain
You can only set all account policies at the domain level. If they are set at the OU level, they are ignored. For more details about this behavior, please refer to the following resources:
  • Windows 2000 Server Resource Kit, Chapter 22 on Group Policy, p 1238.
  • 259576  ( ) Group Policy Application Rules for Domain Controllers
    Note: Reversibly-encrypted passwords are saved during the change password procedure; therefore, as an existing user, you have to change your password to use CHAP.

Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
kbnosurvey kbarchive kbenv kbinfo KB289884
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support