If I am the domain admin, is there a tool I can run to capture usernames and passwords? My manager wants to keep a copy of this under lock and key, in case someone leaves the company. I would prefer not to send out an e-mail asking each person to reply with their password, if necessary. I am the IT Manager, so there's nothing fishy or bending of rules going on here. Any suggestions? If it matters, the accounts are on a Server 2003 Domain, and I have full admin rights.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Active Directory User Accounts and Passwords
- Thread starter djnes
- Start date
- Status
With default policy of a native 2003 domain you won't be able to. If some one leaves, reset their password and log in. Administrators don't have a need to know everyone's password in a properly set up environment.
If the domain was upgraded from 2000 or you have lowered your security settings, you can use something like LC5 to crack them.
If the domain was upgraded from 2000 or you have lowered your security settings, you can use something like LC5 to crack them.
swatbat
[H]F Junkie
- Joined
- Apr 25, 2001
- Messages
- 13,052
MorfiusX said:
I've seen some programs to crack them but you don't need too. As Morfius said just reset the password when/if they leave or you want in to the account. Another option would be making the passwords for everyone and setting them where they can not change it. That way you have a master list. I'd be one for just resetting them though.
Ok, found an article that shows you how to do it.
http://www.devx.com/security/Article/21522/0/page/1
Just remember, be very cautious when putting it to use. Despite giving you the information on how to do it, I'm still for just resetting the password. You don't want to leave a file full of plain-text passwords laying around.
http://www.devx.com/security/Article/21522/0/page/1
Just remember, be very cautious when putting it to use. Despite giving you the information on how to do it, I'm still for just resetting the password. You don't want to leave a file full of plain-text passwords laying around.
Well, I just started at the company, so I'm still not sure how Group Policies were set up before me, and resetting the passwords aren't an option right now. They would be if a person left the company, I could easily reset the password. We want a master list, to store offline in a safe. The CEO wants this for legal reasons, and I'm not about to argue with the CEO of my new job....especially when I somewhat agree with her wishes.
All I wanted to know was if a tool exists, because I know some domain admins at a previous employer used them, back in the NT 4.0 and 2000 days. I'll follow that link tomorrow and check it out. In the meantime, I've sent an e-mail out to all 26 employees, and they've been responding with their passwords, so either way, I'm getting the list together. Thanks for the link above.
All I wanted to know was if a tool exists, because I know some domain admins at a previous employer used them, back in the NT 4.0 and 2000 days. I'll follow that link tomorrow and check it out. In the meantime, I've sent an e-mail out to all 26 employees, and they've been responding with their passwords, so either way, I'm getting the list together. Thanks for the link above.
swatbat
[H]F Junkie
- Joined
- Apr 25, 2001
- Messages
- 13,052
djnes said:
Depending on how you have the permissions set up they could always give you the password then change it. The best option if you want to keep a list is make the passwords yourself and reset everyones to them. Change the AD settings so they then can not change the passwords. The tools don't work that well. Also I'm thinking that such a list if anything would be bad for legal reasons as if more people have access to a password you would have a harder time placing blame on someone. Maybe someone elce could comment on this?
nick_sabatino
Limp Gawd
- Joined
- Mar 13, 2004
- Messages
- 209
swatbat said:
BEST idea here. google "random password generator" and make a unique one for each user, then make it so that they can't change them.
dbwillis
[H]F Junkie
- Joined
- Jul 9, 2002
- Messages
- 9,392
So the password list will be pulled and saved each day? Some users can be changing there passwords before they expire, some folks change them when prompted, some change them once all the prompts are done and the pw is expired...
The users aren't going to be changing them....so the list won't be pulled often at all...even if it is ever pulled again.
As far as the random password generator, I think the point of this thread is being missed. I'm not after a way of creating new passwords. I don't plan to pull these often, and check who's password is strong and who's is not. I want to know if a tool exists to pull all current passwords, and print them out to a list that the CEO will lock away. That's what I'm looking for. I am not crazy about the policy of how things are currently run, and I plan on making changes, but for now, I'm not interested in making waves..
As far as the random password generator, I think the point of this thread is being missed. I'm not after a way of creating new passwords. I don't plan to pull these often, and check who's password is strong and who's is not. I want to know if a tool exists to pull all current passwords, and print them out to a list that the CEO will lock away. That's what I'm looking for. I am not crazy about the policy of how things are currently run, and I plan on making changes, but for now, I'm not interested in making waves..
swatbat
[H]F Junkie
- Joined
- Apr 25, 2001
- Messages
- 13,052
djnes said:
Thats still 2 more people that don't really need to know it. Also would you be able to prove that only you 2 had access to it? What I think everyone is trying to tell you is that there are better ways to do this.
Here's one thing that I've been trying to get through to the people I work with: Dissagreements are good. Disagreements != Argument. It only becomes an argument if some one lets it. People can dissagree and still be productive. It's healthy. Otherwise you get people who just do what they are told whether it's right or wrong. If I just was hired and my CEO wanted me to do something I didn't agree with, I would tell them my concerns. If the CEO still insisted on taking the dissagreable action, that would be soley their decision. What if the CEO doesn't know that you can reset a password? What if they don't know what options are available? Part of the job of an IT guy should be to educate the un-educated when needed. What if the CEO says "Wow, I never knew you could do that!" Impress them that with your ability to handle dissagrement in a civilized manner.djnes said:
djnes said:
Maybe this has already been stated, I haven't read all the responses.
From a security standpoint, this is a terrible idea. If you have full domain access, there is no reason to have passwords on a physical sheet of paper. If someone leaves the company, reset their password. It really is as simple as that.
djnes said:
You guys don't have expiring passwords either? Wow.
No, a simple tool does not exists for this purpose, and I would think if it DID exist, M$ would not be doing their job correctly. Just think, if it would be THAT easy for you to do, how easy would it be for anyone else? With that said, tools like LC do not exist for your given purpose. They exist for auditing roles, and aren't meant to run on every single account in a domain.
I wasn't asking if this was a good idea or not. I was asking if it was possible, and what tool could do it. This is funny, because I've been flamed and sent nasty PMs in the past for explaining why an OP shouldn't do what they were asking how to do. Nice.
As I said before, this is a new job, and I'm doing what is asked of me to this point. My job during the first month is to make a list of things I'd like to change or improve. Believe me, I have an entire section dedicated to how user accounts are handled, and how they should be handled.
I spent 5 1/2 years at HP, so I am fully aware of what types of things *should* be configured for user accounts, so I didn't really need the lectures on how this company does things wrong. That's great, and mostly I agree. That's not what I was asking though. To those who gave suggestions, thank you. To those who didn't offer anything but threadjacking, I'll be locking this thread, as I've already gotten my answer.
As I said before, this is a new job, and I'm doing what is asked of me to this point. My job during the first month is to make a list of things I'd like to change or improve. Believe me, I have an entire section dedicated to how user accounts are handled, and how they should be handled.
I spent 5 1/2 years at HP, so I am fully aware of what types of things *should* be configured for user accounts, so I didn't really need the lectures on how this company does things wrong. That's great, and mostly I agree. That's not what I was asking though. To those who gave suggestions, thank you. To those who didn't offer anything but threadjacking, I'll be locking this thread, as I've already gotten my answer.
- Status