ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Active Directory Policies

GPO to prevent sending unencrypted passwords to Third-Party SMB Servers

In a networked environment, especially in enterprise settings, safeguarding sensitive data, including passwords, is a critical aspect of cybersecurity. One significant risk is the transmission of unencrypted passwords to third-party Server Message Block (SMB) servers. This article provides a detailed guide for system administrators on creating a Group Policy Object (GPO) to prevent the sending of unencrypted passwords to third-party SMB servers.

Understanding the Risk

SMB servers are commonly used for file sharing and network communication. When interacting with third-party SMB servers, it’s crucial to ensure that passwords and other sensitive data are not transmitted in an unencrypted form, which could lead to potential data breaches and security vulnerabilities.


  • Administrative Rights: You must have administrative privileges in your Active Directory (AD) environment.
  • Group Policy Management Console (GPMC): This tool must be installed and accessible.

Step-by-Step Instructions

Step 1: Access Group Policy Management Console

Open GPMC by searching for “Group Policy Management” in the Start menu or by executing gpmc.msc.

Step 2: Create or Edit a Group Policy Object
  • To create a new GPO, right-click on the domain or an Organizational Unit (OU) and select “Create a GPO in this domain, and Link it here…”.
  • To modify an existing GPO, find it under the appropriate domain or OU, right-click it, and select “Edit”.
Step 3: Navigate to SMB Server Settings

In the Group Policy Management Editor, go to: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

Step 4: Configure SMB Password Protection
  • Locate the policy “Microsoft network client: Send unencrypted password to third-party SMB servers”.
  • Set this policy to “Disabled”.
  • Disabling this policy will prevent Windows clients from sending unencrypted passwords to SMB servers that don’t support password encryption, which is especially important when dealing with third-party servers.
Step 5: Apply and Enforce the GPO
  • Click “OK” or “Apply” to enforce the new settings.
  • Link the GPO to the appropriate OU(s).
  • The policy will be applied at the next Group Policy refresh cycle, or you can force it immediately by running gpupdate /force on the client machines.

Advanced Configuration and Use Cases

  1. High-Security Environments: In environments such as financial institutions or government sectors, where data security is paramount, this GPO is critical to prevent potential data leaks.
  2. Regulatory Compliance: For organizations subject to data protection regulations like GDPR or HIPAA, enforcing this policy can aid in compliance.
  3. Third-Party Interactions: Particularly in scenarios where your network interacts with third-party SMB servers, this policy ensures secure communication.

Security Considerations

  • Monitoring and Logging: Implement logging and monitoring mechanisms to detect any attempts to send unencrypted passwords.
  • User Training and Awareness: Ensure that users are aware of the risks associated with sending unencrypted passwords and understand the need for this policy.
  • Regular Policy Review: Continuously evaluate the policy’s effectiveness and make necessary adjustments to stay aligned with evolving security standards and organizational needs.


  • Issues with SMB Communication: If there are operational issues with SMB servers following the implementation of this policy, verify the encryption capabilities of the third-party servers and adjust configurations accordingly.
  • Policy Not Applying: Use tools like Resultant Set of Policy (RSoP) or gpresult to troubleshoot any issues with the application of the GPO.


Implementing a GPO to prevent the sending of unencrypted passwords to third-party SMB servers is an essential security measure for protecting sensitive data in a networked environment. This guide provides the necessary steps for system administrators to configure such a policy, significantly enhancing the security posture of their organization’s IT infrastructure.

Related posts
Active Directory Policies

Block windows app installation with elevated privileges using GPO

Active Directory Policies

GPO to prevent regular users from changing MSI installation options

Active Directory Policies

GPO to prevent autoplay on non-volume devices

Active Directory Policies

Prevent remote logon for local accounts with blank password - GPO


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.