P
Patrick
Where are passwords held on 2000 servers and are they encrypted?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
Miha Pihler
Hi Patrick,
password are stored in SAM database and in system registry. They are
encrypted with one way MD4 or MD5 hasing function (depends on operation and
environement...).
SAM database is located here
%systemroot%\system32\config
In the end it is up to the users to have strong - hard to guess password. No
encryption will help if users use empty or easy to guess passwords....
I hope this helps,
Mike
password are stored in SAM database and in system registry. They are
encrypted with one way MD4 or MD5 hasing function (depends on operation and
environement...).
SAM database is located here
%systemroot%\system32\config
In the end it is up to the users to have strong - hard to guess password. No
encryption will help if users use empty or easy to guess passwords....
I hope this helps,
Mike
P
Patrick
Mike ,
thanks for the quick response. If I look in the registry for password,
it should be unreadable? what key are they in?
also would you know how to check for inactive user accounts older then
a certain age in a system , say 90 days.
thanks
thanks for the quick response. If I look in the registry for password,
it should be unreadable? what key are they in?
also would you know how to check for inactive user accounts older then
a certain age in a system , say 90 days.
thanks
M
Miha Pihler
HKEY_LOCAL_MACINE\SECURITY\SAM\Domains\Account\Users\
But you won't be able to see these keys (beyond SECURITY) by default. You
have to take permissions first. Only SYSTEM is allowed to access to this
part of the registry!
Question about accounts and 90 days. Do you have domain accounts in mind? If
yes, what domain do you have? Windows 2000 or 2003? ...
Mike
But you won't be able to see these keys (beyond SECURITY) by default. You
have to take permissions first. Only SYSTEM is allowed to access to this
part of the registry!
Question about accounts and 90 days. Do you have domain accounts in mind? If
yes, what domain do you have? Windows 2000 or 2003? ...
Mike
P
Patrick
I'm looking at W2k for inactive domain accounts thanks
M
Miha Pihler
User's information in active directory environment is stored in ntdis.dit
file. There is nothing (that I would know of) in the registry.
Only when client logs on his credentials are stored locally in registry
(look at my previous response)
Mike
file. There is nothing (that I would know of) in the registry.
Only when client logs on his credentials are stored locally in registry
(look at my previous response)
Mike
S
Steven L Umbach
A couple thinks that may help.
Download the free dumpsec tool from SomarSoft and run it using the reports/dump users
as a column and select the last logon time option in the right column. Do this on a
domain controller and it will show all users last logon time.
http://www.somarsoft.com/
To specifically search for users with specific stale account time limits you can use
the AD command line tools from Windows 2003. For instance you can use dsquery user
with the -inactive switch to find those users with inactive accounts based on number
of weeks. You can use the AD tools to manage a W2K domain from an XP SP1 domain
member computer with adminpak from Windows 2003 installed on it. --- Steve
http://www.jsiinc.com/SUBO/tip7300/rh7330.htm
http://www.microsoft.com/windowsxp/...sxp/home/using/productdoc/en/dsquery_user.asp
Download the free dumpsec tool from SomarSoft and run it using the reports/dump users
as a column and select the last logon time option in the right column. Do this on a
domain controller and it will show all users last logon time.
http://www.somarsoft.com/
To specifically search for users with specific stale account time limits you can use
the AD command line tools from Windows 2003. For instance you can use dsquery user
with the -inactive switch to find those users with inactive accounts based on number
of weeks. You can use the AD tools to manage a W2K domain from an XP SP1 domain
member computer with adminpak from Windows 2003 installed on it. --- Steve
http://www.jsiinc.com/SUBO/tip7300/rh7330.htm
http://www.microsoft.com/windowsxp/...sxp/home/using/productdoc/en/dsquery_user.asp
P
Patrick
Mike,
When a user logs on to a WS in a W2K Environment with AD. Is his
password Encypted going across the wire by default using MD5? Is this
a standard of W2K?
thanks
When a user logs on to a WS in a W2K Environment with AD. Is his
password Encypted going across the wire by default using MD5? Is this
a standard of W2K?
thanks
J
Joe Richards [MVP]
The password doesn't go across the wire during a logon. If the logon uses
kerberos which would be the default it uses kerberos methods which basically has
the client telling the server who it is and the server sending back something
that only the userid listed could decrypt. You can learn more about kerberos
authentication all over the web, it is pretty heavily documented. If it is NTLM
then it is a fairly similar challenge response mechanism where a nonce is
encoded and the client has to do something with it. This is also pretty well
documented on the web as well as the shortcomings in ntlm.
joe
kerberos which would be the default it uses kerberos methods which basically has
the client telling the server who it is and the server sending back something
that only the userid listed could decrypt. You can learn more about kerberos
authentication all over the web, it is pretty heavily documented. If it is NTLM
then it is a fairly similar challenge response mechanism where a nonce is
encoded and the client has to do something with it. This is also pretty well
documented on the web as well as the shortcomings in ntlm.
joe
P
Patrick
thanks for the response Joe,
P
Patrick
Steven,
Is there a way to ck in W2K with native tools, say ADCU?
Is there a way to ck in W2K with native tools, say ADCU?
S
Steven L Umbach
Not that I know of offhand. There are probably scripting options that you can use.
See the link for the TechNet scripting center that has many scripts available.
Usrstat from the Resource Kit will display all users and their last logon time if
that would help. --- Steve
http://www.microsoft.com/technet/scriptcenter/default.mspx
http://www.petri.co.il/download_free_reskit_tools.htm -- get usrstat here
See the link for the TechNet scripting center that has many scripts available.
Usrstat from the Resource Kit will display all users and their last logon time if
that would help. --- Steve
http://www.microsoft.com/technet/scriptcenter/default.mspx
http://www.petri.co.il/download_free_reskit_tools.htm -- get usrstat here
G
Guest
check out a tool called hyena. It does what you want graphically. They have a free export tool that exports user data also. I can't remember if it will give you stale passwords, but hyena does.
Kevin
Kevin