Restrict UserPassword Attribute in AD Accounts
The UserPassword field should not be used to ensure account security.
Plain language
In a nutshell, this control is about ensuring that the 'UserPassword' field in Active Directory (AD), which is a system many businesses use to manage user accounts, is not utilised to store actual passwords. This is important because mishandling passwords can lead to security breaches, putting sensitive data at risk and potentially harming your business’s reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The UserPassword attribute for user accounts is not used.
Why it matters
If the AD UserPassword attribute is populated, attackers who read directory data could obtain credentials and compromise accounts, enabling unauthorised access and data loss.
Operational notes
Periodically scan AD for any accounts with the UserPassword attribute set, block write access to it, and train administrators to never store passwords in directory attributes.
Implementation tips
- The IT team should ensure that the 'UserPassword' attribute in Active Directory is not used for storing passwords. They can do this by checking the configurations and confirming that alternative security measures, such as password hashes, are in use instead.
- System administrators should educate staff about secure password storage practices. This could involve running a training session that explains why passwords shouldn’t be stored in plaintext fields like 'UserPassword' and what alternatives should be used.
- Managers responsible for security policies should update organisational policies to explicitly forbid the use of the 'UserPassword' attribute for storing passwords. They can add this to the section on user account management in the company security manual.
- IT support personnel should regularly review the Active Directory settings and logs to ensure that no passwords are accidentally stored in the 'UserPassword' field. They can use automated scripts to flag any changes or anomalies.
- System owners should coordinate with IT security experts to implement monitoring tools that alert when attempts are made to utilise the 'UserPassword' attribute for password storage. This might involve configuring alerts in existing IT management software.
Audit / evidence tips
-
Askthe Active Directory configuration settings document: Request the records showing that the 'UserPassword' attribute is not configured to store passwords
GoodDocumentation showing 'UserPassword' is set to not receive plaintext passwords and outlining what is used instead
-
Aska report of recent user account audits: Request logs or records showing recent checks of Active Directory settings
GoodA report with no instances of 'UserPassword' being used incorrectly and evidence of regular monitoring
-
Aska copy of the organisational policy on password storage: Request the section of the security policy document that covers password management
GoodA clear policy statement prohibiting storing of passwords in 'UserPassword'
-
Askto see user training materials on password security: Request a sample of training content distributed to staff
GoodTraining materials outlining secure password practices and procedures for handling passwords
-
Askevidence of automated alerts or monitoring systems: Request verification of any systems in place that notify administrators about the use of the 'UserPassword' field
GoodDetailed alert configurations that include monitoring of attempts to use 'UserPassword' for storing passwords
Cross-framework mappings
How ISM-1838 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1838 requires a specific security configuration outcome in AD: the UserPassword attribute for user accounts is not used | |
| handshake Supports (1) expand_less | ||
| Annex A 8.3 | ISM-1838 requires that the Active Directory (AD) UserPassword attribute for user accounts is not used, preventing creation or use of a di... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.