DS behavior

 

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Manages password operations over unsecured connections. You can allow or deny password operations over unsecured connections and list the current setting.

As a best security practice, you should not disable strong encryption in a production environment. Strong encryption ensures that passwords are transmitted only across secure channels. For test environments only, you can disable strong encryption.

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

connections
[{allow passwd op on unsecured connection | deny passwd op on unsecured connection | list current ds-behavior}]

Parameters

Parameter

Description

allow passwd op on unsecured connection

Modifies AD DS or AD LDS behavior to allow password operations over an unsecured connection.

connections

Invokes the server connections submenu.

deny passwd op on unsecured connection

Modifies AD DS or AD LDS behavior to deny password operations over an unsecured connection.

list current ds-behavior

Lists current behavior for the AD DS or AD LDS instance.

quit

Takes you back to the previous menu, or exits the utility.

?

Displays Help at the command prompt.

Help

Displays Help at the command prompt.

Remarks

  • Before you can run the DS behavior subcommand, you need to connect to a specific AD Ds or AD LDS instance by using the connections parameter.

  • By default, password operations over unsecured connections are denied. You should change the default setting only after performing an appropriate risk analysis.

  • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles.

Examples

To allow password operations over unsecured connections, type the following command, and then press ENTER:

AD DS/LDS behavior: allow passwd op on unsecured connection

Additional references

Command-Line Syntax Key

Ntdsutil

Dsmgmt

authoritative restore

configurable settings

files

group membership evaluation

ifm

LDAP policies

local roles

metadata cleanup

partition management

roles

security account management

semantic database analysis

set DSRM password

snapshot