ms-DS-User-Encrypted-Text-Password-Allowed attribute

Indicates whether Active Directory will store the password in the reversible encryption format. True if the password is stored in the reversible encryption format; otherwise, False.


This attribute is not used by Active Directory Lightweight Directory Services and is only included for completeness/parity with userAccountControl. AD LDS does not store passwords with reversible encryption, regardless of this attribute's value on any given object or the computer security policy pertaining to reversible encryption on the computer itself.

Entry Value
CN ms-DS-User-Encrypted-Text-Password-Allowed
Ldap-Display-Name ms-DS-UserEncryptedTextPasswordAllowed
Size -
Update Privilege -
Update Frequency -
Attribute-Id 1.2.840.113556.1.4.1856
System-Id-Guid 5a87c7f2-93c5-454c-a8c5-8cb09613292e
Syntax Boolean



Entry Value
Link-Id -
System-Only False
Is-Single-Valued True
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower -
Range-Upper -
Search-Flags 0x00000000
System-Flags 0x00000010
Classes used in ms-DS-Bindable-Object


In ADAM, this attribute replaces the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of the userAccountControl attribute.