如何在Active Directory中禁用“仅限LDAPS的密码操作”策略

Question

默认情况下，Active Directory不允许执行密码操作，如密码更新或用户使用LDAP连接创建密码，它需要LDAPS连接。我如何禁用此政策？我可以确保我的客户端和AD之间的连接是安全的，所以我不需要SSL加密。

Answer 1

打开命令行（开始→运行→cmd）和输入下面的命令：

• dsmgmt
• ds behavior
• connections
• connect to server localhost
• quit
• allow passwd op on unsecured connection
• list current ds-behavior
• quit
• quit

整个事情应该是这样的（空行增加了可读性）

C:\Windows\system32>dsmgmt 

dsmgmt: ds behavior 

AD DS/LDS behavior: connections 

server connections: connect to server localhost 
Binding to localhost ... 
Connected to localhost using credentials of locally logged on user. 

server connections: quit 

AD DS/LDS behavior: allow passwd op on unsecured connection 
Successfully modified DS Behavior to reset password over unsecured network. 

AD DS/LDS behavior: list current ds-behavior 
Password operations on unsecured connection: Allowed. 

AD DS/LDS behavior: quit 
dsmgmt: quit 

要撤消的变化，开放dsmgmt再次，并按照脚步。而不是allow，请使用deny passwd op on unsecured connection。

来源：http://www.forumeasy.com/forums/thread.jsp?tid=135602313860&fid=ldapprof9