Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory Passwords

Status
Not open for further replies.
DMWCSD

DMWCSD

IS-IT--Management
May 4, 2004
31
0
0
US
Does anyone know if there is a way that I can either setup Active Directory to store user passwords somewhere that I can view them when needed, or if there is anything that I can do to see the users passwords?

Thanks for any help you can give. I am almost to the point where I begin to assign passwords to my users so I have a list of passwords that my technicians can use to do their jobs.
 
Sort by date Sort by votes
You don't need to know everyone's password. If you need to get into a user's computer have the tech ask the user their password, or reset the password.


If you start assiging passwords, then how are you going to manage them when people start changing them? Are you not going to allow people to change their passwords or force changes? That's a no-no.
 
Upvote 0 Downvote
it's only possible for you to reset the user's passwords

 
Upvote 0 Downvote

None of these folks are right and all of these folks are right.

None of them are right unless they all have setup their Win2k3 domains in a FIPS compliant manner. I don't expect this to be the case. Password hashes are stored in a domain controller's registry, and are quite accessible and easily cracked to reveal the true password. If you do have a FIPS compliant setup, just put your servers on a hub and capture all the traffic, and sniff password hashes from that.

All of them are right in that there's no reason for you to know anyone's password aside from your own. I don't know how things are setup that this might be required. I would highly recommend revisiting what about the setup requires you to know or change ANYONE's passwords, and change it. Your techs should have accounts good enough to log off any user, and your users should be trained wel enough to save their documents often so it doesn't matter if they are forced to logoff while they're out.

Your default admin account should be renamed using policy. Then you should set that account's password to something sooo ridiculously long and complex you'll never remember. Use the help of something like randpass.com for this. Once that's set, seal it in an envelope and drop it in your offsite storage safe.

Go buy LC5 from Symantec and you'll have everything your need. LC5 is difficult to get, and only available to US/Canada residents. (It might be easier now, I bought it mid-Symantec-acquisition)

There's also a number of free utilities available that will do this, too.

 
Upvote 0 Downvote

That part I don't know.

I do know that the LC5 program is very good at finding them and bringing them into its sweaty little hands.

Packet sniffing works, too, if you've got a good old fashioned hub, and no one notices the server being plugged into a 10/100 port instead of a GB port. :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
54
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
160
goombawaho
goombawaho
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
54
penguinroundup
penguinroundup
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
40
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
86
technome
technome

Part and Inventory Search

Sponsor

Back
Top