You cannot configure the Reverse Encryption password
setting that is required for the Challenge Handshake Authentication Protocol (CHAP) at the Organizational Unit (OU) level.
This article is designed to clarify information that is located in the following reference materials:
Each document provides a step-by-step process to configure Windows 2000 to enable the CHAP authentication protocol; however, the statement about the Reverse Encryption password
configuration that is included in each of these materials is incorrect. The following information is a correction of these materials.
CHAP Information Correction
In Windows 2000 domains, you can only set the Reverse Encryption password
setting at the user level or at the domain level by using the domain Group Policy (GP):
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the Users folder under the domain node, and then click Properties.
- Click the Account tab to find the setting.
Domain Level Through the Domain Group Policy
You cannot use the GP at the Organizational Unit (OU) level; Go to the following location in the domain GP to find the setting:
Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain
You can only set all account policies at the domain level. If they are set at the OU level, they are ignored. For more details about this behavior, please refer to the following resources:
- Windows 2000 Server Resource Kit, Chapter 22 on Group Policy, p 1238.
Note: Reversibly-encrypted passwords are saved during the change password procedure; therefore, as an existing user, you have to change your password to use CHAP.
Group Policy Application Rules for Domain Controllers