How to Disable "Password Operations Over LDAPS Only" policy in Active Directory

Question

By default Active Directory doesn't allow to do password operations such as password updates or user creating with passwords over an LDAP connection, it requires an LDAPS connection. How can I disable this policy? I can ensure the connection between my client and the AD is secure, so I do not need SSL encryption.

Answer 1

Open a command line (Start → Run → cmd) and type the following commands:

• dsmgmt
• ds behavior
• connections
• connect to server localhost
• quit
• allow passwd op on unsecured connection
• list current ds-behavior
• quit
• quit

The whole thing should look like this (empty lines added for readability)

C:\Windows\system32>dsmgmt

dsmgmt: ds behavior

AD DS/LDS behavior: connections

server connections: connect to server localhost
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.

server connections: quit

AD DS/LDS behavior: allow passwd op on unsecured connection
Successfully modified DS Behavior to reset password over unsecured network.

AD DS/LDS behavior: list current ds-behavior
Password operations on unsecured connection: Allowed.

AD DS/LDS behavior: quit
dsmgmt: quit

To undo the change, open dsmgmt again and follow the steps. Instead of allow, use deny passwd op on unsecured connection.

Source: http://www.forumeasy.com/forums/thread.jsp?tid=135602313860&fid=ldapprof9