DS behavior
Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8
Manages password operations over unsecured connections. You can allow or deny password operations over unsecured connections and list the current setting.
As a best security practice, you should not disable strong encryption in a production environment. Strong encryption ensures that passwords are transmitted only across secure channels. For test environments only, you can disable strong encryption.
This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).
To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
connections
[{allow passwd op on unsecured connection | deny passwd op on unsecured connection | list current ds-behavior}]
Parameters
Parameter |
Description |
---|---|
allow passwd op on unsecured connection |
Modifies AD DS or AD LDS behavior to allow password operations over an unsecured connection. |
connections |
Invokes the server connections submenu. |
deny passwd op on unsecured connection |
Modifies AD DS or AD LDS behavior to deny password operations over an unsecured connection. |
list current ds-behavior |
Lists current behavior for the AD DS or AD LDS instance. |
quit |
Takes you back to the previous menu, or exits the utility. |
? |
Displays Help at the command prompt. |
Help |
Displays Help at the command prompt. |
Remarks
Before you can run the DS behavior subcommand, you need to connect to a specific AD Ds or AD LDS instance by using the connections parameter.
By default, password operations over unsecured connections are denied. You should change the default setting only after performing an appropriate risk analysis.
Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles.
Examples
To allow password operations over unsecured connections, type the following command, and then press ENTER:
AD DS/LDS behavior: allow passwd op on unsecured connection