Any way to see an Active Directory password?

active-directory password password-recovery hash password-reset
144,009

Solution 1

AD passwords (just like Windows ones) are stored using non-reversible encryption, so the standard answer is a definite "NO".

There is a GPO settings that will tell AD (or any Windows system) to store passwords using reversible encryption, but there is no built-in tool to decrypt them (although there is some documentation floating around on how to do that). Of course, this is exactly as insecure as it looks.

Solution 2

If you need to see the plain text of what it's setting it to, and you can't get the reset tool to spit that info out itself, then you have two options: enabling reversible encryption, or using a password filter.

With reversible encryption, you can get at the original password, but it's not a pleasant process.

With a password filter, you can dump out all password changes to text, but that's obviously not a good thing for security when it comes to your non-test users.

If you only need to see the hash to see if it was set correctly, though, then you can dump the hash database and compare.

Share:
144,009

Related videos on Youtube

balentaw
Author by

balentaw

Updated on September 18, 2022

Comments

  • balentaw
    balentaw over 1 year

    Before you jump to conclusions, let me explain. We have a password reset tool that is not working. For some reason when you use it, it resets your password to some unknown value (Not what you changed it to, or what it was before). I have setup a test "user" in the appropriate OU, and I want to be able to see what the reset tool is changing the password to. That way maybe I can maybe understand what's going on. Any help would be greatly appreciated.

    • user1364702
      user1364702 almost 13 years
      What is the password reset tool? Why not just reset the password to a known value and have the user change their password at next login?
    • user1364702
      user1364702 almost 13 years
      I'd like to know what this tool is because how is it changing the password to anything other than what it was, if it isn't using Administrator or that user's access tokens with permissions to do so?...
  • ravi yarlagadda
    ravi yarlagadda almost 13 years
    That's the hash, anyway, which doesn't do a lot of good regarding this question, but you can certainly get at it through unsupported means. As I mentioned in my answer, password filters are an official, supported way to get copies of the plain passwords as they change. It's downhill from there with reversible encryption and attacks against hashes, but an unqualified "no" based on the ldap attribute is a bit.. narrow.
  • Kiquenet
    Kiquenet over 7 years
    Not pleasant process, very harder in C# IMHO. Not samples in github about it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I reset the local Administrator password for a Windows Vista client connected to a domain?
Can I get all active directory passwords in clear text using reversible encryption?
Recover/change encryption password
Active Directory users unable to change passwords [SSSD]
"Authentication Manipulation Error" when trying to reset my password
what rar password recovery tools are available?
What is the default password for Ubuntu 12.04?
Debian 7 password recovery
Domain account keeps getting locked out
Is there a way to reset the password for a list of Active Directory users en-mass?