Discussion:
Passwords in AD
(too old to reply)
Tim Kalligonis
2006-01-06 16:50:32 UTC
Permalink
Where is a user's password stored in AD. Is it an attribute on the user
object?

Thanks,
Tim
TZanolo
2006-01-06 17:09:25 UTC
Permalink
A password from a domain user is stored in a database that is the database
for all the AD.
Post by Tim Kalligonis
Where is a user's password stored in AD. Is it an attribute on the user
object?
Thanks,
Tim
Tim Kalligonis
2006-01-06 18:20:02 UTC
Permalink
I'm asking specifically where in AD. We all know that ntds.dit is the
database that contains the data.
Are the users' passwords stored on the user object itself in an attribute or
somewhere else, in the database?
Post by TZanolo
A password from a domain user is stored in a database that is the database
for all the AD.
Post by Tim Kalligonis
Where is a user's password stored in AD. Is it an attribute on the user
object?
Thanks,
Tim
Joe Kaplan (MVP - ADSI)
2006-01-06 18:19:01 UTC
Permalink
Yes, but it cannot be read via LDAP. It is write-only.

Essentially, you can't read AD passwords, hashed or otherwise, without
resorting to hacking. No APIs expose them.

Joe K.
Post by Tim Kalligonis
Where is a user's password stored in AD. Is it an attribute on the user
object?
Thanks,
Tim
Tim Kalligonis
2006-01-06 18:52:15 UTC
Permalink
Thanks for the reply Joe.
Do you know where it is stored?... I understand I wouldn't be able to read
it.... sure hope M$ doesn't store passwords in clear text. ;)

This is what I am looking for.

Where is the password?
How big is it (bytes)?
Post by Joe Kaplan (MVP - ADSI)
Yes, but it cannot be read via LDAP. It is write-only.
Essentially, you can't read AD passwords, hashed or otherwise, without
resorting to hacking. No APIs expose them.
Joe K.
Post by Tim Kalligonis
Where is a user's password stored in AD. Is it an attribute on the user
object?
Thanks,
Tim
Joe Kaplan (MVP - ADSI)
2006-01-06 20:02:03 UTC
Permalink
The attribute is unicodePwd, but I'm not sure if the passwords are actually
stored there or if they go through additional layers. It is not documented.
Since you can't read it anyway, why does this matter?

Note that generally several passwords will be stored based on the password
history policy. They are accepted as unicode and are generally hashed for
storage unless reversible encryption is enabled. There is no way to know
how big the data would be, but AD supports passwords up to 128 characters as
I understand it (256 bytes).

If you want to find out more details about how they are actually stored, you
need to look at the DIT file. The LDAP stuff is just a facade over that.

Joe K.
Post by Tim Kalligonis
Thanks for the reply Joe.
Do you know where it is stored?... I understand I wouldn't be able to read
it.... sure hope M$ doesn't store passwords in clear text. ;)
This is what I am looking for.
Where is the password?
How big is it (bytes)?
Post by Joe Kaplan (MVP - ADSI)
Yes, but it cannot be read via LDAP. It is write-only.
Essentially, you can't read AD passwords, hashed or otherwise, without
resorting to hacking. No APIs expose them.
Joe K.
Post by Tim Kalligonis
Where is a user's password stored in AD. Is it an attribute on the user
object?
Thanks,
Tim
Continue reading on narkive:
Loading...