Any way to view users passwords in server 2003 AD ?

Discussion in 'Active Directory' started by Bob, Apr 28, 2010.

  1. Bob

    Bob Guest

    Is there any way to view users passwords in Server 2003 AD ?

    We run a server 2003 SP2 domain, us Administrators have a list of all users
    password on a spreadsheet, locked up. We need their passwords in the event we
    must sign onto their computers as an admin while they are away, we log back
    into the computer with their user name/password when done. You would be
    surprised how many people "do not" look at the user name when they log on -
    we had panic --- I can not log in, we go to their desktop and the user name
    is that of one of the administrators - user did not look.

    So the problem is when they change their passwords --- we ask for their new
    password. We were searching around the net and so far found no way to view
    their passwords in AD, just wondering --- if there is something we are
    missing, anyone know a way to view users passwords in AD 2003 ? And this is
    all legit, users and managers know that we have and need their passwords ---
    we are trust worthy in our shop.

    Thanks,
    Bob
     
    Bob, Apr 28, 2010
    #1
    1. Advertisements

  2. Hello Bob,

    No, the passwords aren't viewable, they are stored in a hash. And for god
    this isn't possible. Me as a user wouldn't like that someone knows my password.

    If you have the need for logon that's why you are admin and can do what you
    like on the machine. Even if auser is looged in as an admin you can kick
    him out without any problem.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 28, 2010
    #2
    1. Advertisements

  3. As noted, you cannot retrieve the passwords from AD. No user should ever
    tell you what their password is. If a user tells you their password, you
    should require that they change it immediately. This has nothing to do with
    how trustworthy you are. You don't want to know users' passwords, and you
    certainly don't want to store them anywhere.

    Most things an administrator needs to do on a computer can be done remotely.
    If an administrator must log into a workstation, users will just need to pay
    attention.
     
    Richard Mueller [MVP], Apr 28, 2010
    #3
  4. As Meinolf and Richard stated, this is not possible.

    If it were possible, I don't believe AD would be a viable and secure
    product to run a secure environment and not many would consider it's
    use.


    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MVP - Directory Services, MCT], Apr 28, 2010
    #4
  5. Although the MVPs who have chimed are correct for normal situations,
    but I have heard plenty of use cases where it would be completely
    valid for the admins to know every user's password. This is typically
    the case where the information worker staff is highly transitory or
    performing some trivial task.

    If the admins do have a valid case for persisting user passwords then
    you can install a password filter/notification DLL on your domain
    controllers. This does not allow you to retrieve existing passwords,
    but will allow you to collect them as they are created and changed.
    This is typically a development task which consists of compiling the
    SDK sample (assuming you can still find it) but there may be freeware
    versions out there.

    HTH,
    Dave
    -------------------------

    I guess I have seen similar situations, like classroom training sessions, or
    a temporary contractor. Perhaps it would be easier in these cases to not
    allow the user to change their password. They would use the password you
    initially provide. Just recognize that the account could be one where many
    people potentially know the password, so it should be restricted. You could
    reset the password just before giving the new password to the user, then
    reset it when the user is finished, or reset it yourself periodically and
    communicate the new password to the user.
     
    Richard Mueller [MVP], Apr 29, 2010
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.