Manages password operations over unsecured connections. You can allow or deny password operations over unsecured connections, and list the current setting.

As a best security practice, you should not disable strong encryption in a production environment. Strong encryption ensures that passwords are transmitted only across secure channels. For test environments only, you can disable strong encryption.

Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

connections
[{allow passwd op on unsecured connection | deny passwd op on unsecured connection | list current ds-behavior}]

Parameters

Parameter Description

allow passwd op on unsecured connection

Modifies AD DS or AD LDS behavior to allow password operations over an unsecured connection.

connections

Invokes the server connections submenu.

deny passwd op on unsecured connection

Modifies AD DS or AD LDS behavior to deny password operations over an unsecured connection.

list current ds-behavior

List current behavior for the AD DS or AD LDS instance.

quit

Takes you back to the previous menu or exits the utility.

?

Displays help at the command prompt.

Help

Displays help at the command prompt.

Remarks

  • Before you can run the DS behavior subcommand, you need to connect to a specific AD Ds or AD LDS instance by using the connections parameter.

  • By default, password operations over unsecured connections are denied. You should change the default setting only after performing an appropriate risk analysis.

Examples


  • configurable settings
  • group membership evaluation
  • configurable settings
  • files