Server 2003 Active Directory: Password Database?

E

EnFoRcEr!!

Limp Gawd
Joined
Jan 29, 2003
Messages
472
Hey guys, sorry if that title didn't quite explain the question. I was curious to know if there are any programs available that will allow you to pull the password from each account in active directory in a server 2003 environment and throw them into a database(or even just a .txt file). Thanks ahead of time.
 
AFAIK there is no software tool to do what you are requesting for Active Directory accounts.

On another note, why would you want such a list to begin with?
 
There is an option under each user to store their password in a reversable encryption method. However, I've never used it, nor have I seen how to get the password back when the option is enabled.

I assume you are trying to auth some external service against the auth info in AD, yes? AD provides an LDAP appearance, so you can auth like that as needed.
 
no disrespect to anyone intended but I think the posting of a link or information for a progam that would do that is a bit unethical.
 
Why are you trying to do this? Yea there are some programs out there that will try to get the passwords. Work for some not for others. Thing is by making a database for passwords you are opening a big security risk.
 
MIRTBelGeran said:
no disrespect to anyone intended but I think the posting of a link or information for a progam that would do that is a bit unethical.
Click to expand...

Actually I did this back in the NT 4.0 days to check to see if my end users were using passwords that were harder to crack instead of things like password or password1. It is a nice tool to see how fast or how long it can take to crack passwords to see how secure or insecure your systems are. Some tools are useful even if they can also be used for unethical reasons.
 
mctwin2kman said:
Actually I did this back in the NT 4.0 days to check to see if my end users were using passwords that were harder to crack instead of things like password or password1. It is a nice tool to see how fast or how long it can take to crack passwords to see how secure or insecure your systems are. Some tools are useful even if they can also be used for unethical reasons.
Click to expand...


Thats why Microsoft has min. complexity requirement settings. No one...incuding the domain admins should EVER ask a user or attempt to figure out a users password. EVER!
 
I agree that Policy EnFoRcMeNt :eek: is the best poicy. As IT staff we must maintain ethical aperiences and Hijacking passwords sends the wrong message and runs the risk of loosing the trust of a user community that allready thinks we are a bunch of nerds without people skillz.
 
MIRTBelGeran said:
I agree that Policy EnFoRcMeNt :eek: is the best poicy. As IT staff we must maintain ethical aperiences and Hijacking passwords sends the wrong message and runs the risk of loosing the trust of a user community that allready thinks we are a bunch of nerds without people skillz.
Click to expand...
And thinks that we read their email. Can't tell you how many times I get that.

I just have to keep reminding them that I have more important things to be doing that spying on the latest joke chain letter or their ebay auctions.
 
oakfan52 said:
Thats why Microsoft has min. complexity requirement settings. No one...incuding the domain admins should EVER ask a user or attempt to figure out a users password. EVER!
Click to expand...

That is why I stated NT 4.0 days. I did not have that sort of access back then to set the requirements. Now I do! Then again I work for some not so bright people. There passwords to this day are the last 4 digits of there social. They will not let me force the change. Shit there is one department that has all the users password written down on one monitor. Thank god they have not rights to anything real important on the network! I lock that side down tight. Group Policy also is a wonderful thing.
 
It's not that difficult to do but it also strikes me as a bit odd a question to ask.

That said you can edit IDM or MIIS to "synchronise" the passwords into plain text data targets, but obviously you have to install agents on all the domain controllers to get the Password Change LDAP update events to pipe out, as well as having the software itself obviously.

It will also only get the passwords as they change, not all the existing ones, you'd have to brute force the DES salt on AD to get that afaik.
 
MIRTBelGeran said:
no disrespect to anyone intended but I think the posting of a link or information for a progam that would do that is a bit unethical.
Click to expand...

My apologies for not explaining better. I work in an IT dept. We have only about 6 IT members covering about 600+ users in 20+ offices nationwide. It would just make my life much easier if I had a list of passwords to help when doing things on individual machines as needed. Especially when people are on vacation and such.

Either way, thank you for the input everyone. I was fairly certain there was no way to do this, but I wanted to be sure before giving up.
 
EnFoRcEr!! said:
My apologies for not explaining better. I work in an IT dept. We have only about 6 IT members covering about 600+ users in 20+ offices nationwide. It would just make my life much easier if I had a list of passwords to help when doing things on individual machines as needed. Especially when people are on vacation and such.

Either way, thank you for the input everyone. I was fairly certain there was no way to do this, but I wanted to be sure before giving up.
Click to expand...

My advice here: Get a policy implemented that specifies what happens when you have to work on someone's profile. Namely, that you will be resetting their password. Have a procedure in place for users to follow ( default passwords are a bad idea. Better would be a default password + disabled account until they call IT to get it reinstated ) after they've had their profile worked on.

Not ideal, but you get the idea. And this way, you never need to know their password.
 
XOR != OR said:
My advice here: Get a policy implemented that specifies what happens when you have to work on someone's profile. Namely, that you will be resetting their password. Have a procedure in place for users to follow ( default passwords are a bad idea. Better would be a default password + disabled account until they call IT to get it reinstated ) after they've had their profile worked on.

Not ideal, but you get the idea. And this way, you never need to know their password.
Click to expand...

You can always leave their new password on their voicemail(as long as the VM is password protected).
 
You must log in or register to reply here.
Back
Top