Users Password from Active Directory

[Guest]

Hi , is there any way that i could get the users Domain password from Active
Directory ? I'm an administrator for the Windows Server 2000 Server and i
need this for some administrative purposes. Please Help

Regards

 

[Enkidu]

Hi , is there any way that i could get the users Domain password from
Active Directory ? I'm an administrator for the Windows Server 2000
Server and i need this for some administrative purposes. Please Help

An administrator can set a password but cannot find out a password of a
user.

The only way you could achive what you want is to set the user's
password and then prevent them from changing it. This is not secure,
obviously.

Cheers,

Cliff

 

[Hank Arnold]

Wouldn't be much of a secure environment if they could, would it??? Think
about it.... If you could do it, hackers could do it,too.......

If there *is* a way, I sure hope no one is stupid enough to post it on a
public forum......

 

[Joe Richards [MVP]]

AD doesn't store clear text passwords, it stores one way password hashes. Even
those are not available for casual browsing.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Genet]

So why the SYSKEY utility , I thought that encrypted the SAM database?

 

[Herb Martin]

Hi , is there any way that i could get the users Domain password from
Active
Directory ? I'm an administrator for the Windows Server 2000 Server and i
need this for some administrative purposes. Please Help

"need this for some admin purposes"? Doubtful.

Others have responded to indicate that this is not available
(by design).

You might 'crack' your own accounts database but you will
likely only get the passwords of users who have not used
strong passwords (l0phtcrak comes to mind.)

[And it MAY be reasonable for an admin to attempt this
on a regular basis -- with permission and notification --
in order to find weak passwords.]

You can MIGRATE the passwords by using ADMTv2 or v3.

What is it you want to do with these? What is your "admin purpose"?

 

[Ryan Hanisco]

Aznan,

Passwords under 16 characters can be decrypted much more easily as they
use a different algorithm. That being said, I have a hard time thinking
of any reason why an administrator would need to get a user's password.

So, tell us what you need access to and maybe we can help. Otherwise,
there's not much we can responsibly do.

Ryan Hanisco

 

[Joe Richards [MVP]]

It protects the hashes stored in the SAM portion of the registry that could be
brute forced.

SYSKEY doesn't do anything to help hashes in AD. You can get the hashes either
by injecting code into the LSASS process or editing the DB directly.



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm