0

Can someone explain how the unicodePwd attribute works in AD.

Specifically, when I open the "ADSI Editor", then open a users properties and look at the attributes, the "unicodePwd" attribute shows as "not set". When in fact the user does have a password. Is this where password gets stored?

Also, I can reset a users password by right-clicking on the user and choosing Reset Password...but if I try to set by updating the unicodePwd, using proper Hex and I'm pretty sure using the right complexity, I get:

Operation Failed. Error code: 0x1f SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0

enter image description here

criderkevin
  • 27
  • 1
  • 4

2 Answers2

1

I have been working on this for a while, and you cannot change the user password from the gui like that. There are two ways you can do this as far as I have found which is:

  1. Use the powershell module found documented here: https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adaccountpassword?view=windowsserver2022-ps

  2. Do it with the help of LDAP / OPENLDAP, like so:

    a. add quotes (") to the beginning and end of the password

    b. convert each character to unicode

    c. convert the bytestring you now have using base 64 encoding.

The code I used to do the encoding is shown here:

import base64
import sys
def encode_pwd(pw):
    new_pw = b""
    pw = "\"" + pw + "\""
    for char in pw:
        new_pw += char.encode("utf-16le")
    return base64.standard_b64encode(new_pw)
pw = sys.argv[1]
result = encode_pwd(pw)
stripped_result=str(result).strip("b'")
print(stripped_result)

This will return the encoded unicodePwd.

Finally modify the entry with ldapmodify:

ldapmodify -v -H 'ldaps://host' -U "user" -w "password" -Y DIGEST-MD5 \
<<EOF
dn: "DN=contoso,DN=com"
replace: unicodePwd
unicodePwd::$b64pwd
EOF

I hope this answers your question. :)

Erlandsen-tech
  • 74
  • 7
0

Active Directory stores the password on a user object or inetOrgPerson object in the unicodePwd attribute.

UnicodePwd doesn’t store the user password it is not set by default itself. It is use for encoding the password in a attribute.

This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search.

In order to modify this attribute, the client must have a 128-bit Transport Layer Security (TLS)/Secure Socket Layer (SSL) connection to the server. An encrypted session using SSP-created session keys using NTLM or Kerberos are also acceptable as long as the minimum key length is met.

Reference: https://learn.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password

Note: The syntax of the unicodePwd attribute is Object(Replica-Link). However, the DC requires that the password value be specified in a UTF-16 encoded Unicode string containing the password surrounded by quotation marks, which has been BER-encoded as an octet string per the Object(Replica-Link) syntax.

RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11
  • Thanks, any idea why, when using ADSI Editor, I cannot set the unicodePwd attribute? I try to enter: 4162633132332141626331323321416263 which is Hex for Abc123!Abc123!Abc and it fails with the error in my post above. – criderkevin Aug 26 '21 at 16:51
  • Please try with DADM account with the LDAP encryption : https://ldapwiki.com/wiki/UnicodePwd#section-UnicodePwd-TheSyntaxOfTheUnicodePwdAttribute . If we convert by own, it will not work as expected. It does more encoding by LDAP : https://ldapwiki.com/wiki/Example%20-%20Active%20Directory%20Change%20Password%20JNDI – RahulKumarShaw Aug 27 '21 at 05:00