1. The constraints in section MUST be satisfied.

  2. The new value MUST be encrypted before being persisted. Encryption is accomplished using the algorithm specified in section, with the RID (an unsigned integer) as the encryption key.

  3. If the client has access to the Unexpire-Password control access right ([MS-ADTS] section on the domain object, pwdLastSet MUST be updated to the current time; otherwise, pwdLastSet MUST be updated to the value zero, which causes the new password to expire immediately.

  4. If the update to this attribute is not from an internal trigger, the supplementalCredential attribute MUST be removed.

  5. The ntPwdHistory attribute MUST be updated with the new unicodePwd attribute value (encrypted with the RID, according to constraint 2) according to the constraints in section