How can i get the password for a user from Active Directory
Asked
Active
Viewed 1,174 times
7 Answers
7
Simple, you cannot. Passwords are not stored in nearly all authentication systems. Instead, they are converted into a 'hash' that is stored instead. Then, when you want to prove that you know the password, you convert the password you type into a hash using the same algorithm and compare that to the stored data.
Some use public/private keys to perform the hashing, some use alternative algorithms. None of them can "un-convert" the hash back into the original password.
gbjbaanb
- 51,617
- 12
- 104
- 148
-
2How can you get the hash in Active-directory ? – JPBlanc Apr 08 '11 at 18:04
-
You cannot (at least not easily). The password hash is write only, and even then only with the right permissions. If you want to validate against the password, see [this answer](http://stackoverflow.com/a/499716/1080891). More info [here.](http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/63e3cf2d-f186-418e-bc85-58bdc1861aae) – Cavyn VonDeylen Oct 09 '12 at 15:08
4
Administrators do not have access to users passwords, only the ability to change them.
John T
- 23,735
- 11
- 56
- 82
3
You cannot get the password stored in Active Directory because they are stored as hashes. The only time you can learn of a password in Active Directory is when it is being set, but for that you need a password filter in place, and to put the paassword filter in place, you have to be an admin on a Domain Controller.
You can also not change a user's password because changing a password requires that you know the user's existing password. You can only reset a user's password, but for that you need to have Reset Password rights on the user account.
Resetting a user's password is an administrative task that is often delegated to junior administrators, and in most cases delegated admins can reset user account passwords.
If interested, there is a good discussion about the difference between changing an Active Directory user account password and resetting an Active Directory user account password here:
http://www.activedirsec.org/t43140076/what-is-the-difference-between-the-change-password-and-reset/
Krishna Raju
- 91
- 1
- 2
3
You'll need administrative access to a domain controller to get the hashes. You'll then need to use a hash cracker, such as Cain, to see if you can recover the passwords. If the password is not simple, this could take days or years.
Note that this is illegal in most situations, and it's usual to reset passwords rather than recover them.
Mark
- 6,269
- 2
- 35
- 34
-
A +1 on this becuase this answer actually suggests a way to do what the OP wants. Of course, normally, it isn't possible, but ab-normally, many things are possible. – bgmCoder Jul 02 '12 at 16:57
1
By default active directory is configured to utilize a hashed algorithm to store user passwords. You can however override that default and utilize symmetric (reversible) encryption instead. This does allow for the password to be retrieved via the standard APIs available. Here's a link on symmetric encryption with AD.
In addition, as another poster mentioned you can utilize a password filter to capture password changes and the new passwords when users change them. Other than that passwords must be reset. Hashes are not meant to be broken or recovered, thats the whole point.
Brent Pabst
- 1,156
- 1
- 15
- 37
0
Programmatically through supported API's you can't read the passwords from Active Directory but you can get to the passwords at the point in time when they are set by implementing a Password Filter.
CosmosKey
- 1,287
- 11
- 13
-1
I doubt very much if this is possible considering it is a password. But you might have better luck asking this in ServerFault?
I'm not sure if you will be able to get access, but once its out of beta you'll be able to register.
Community
- 1
- 1
littlechris
- 4,174
- 10
- 43
- 66