Sign in
 
HomeWindows Server “8” Beta20082003LibraryForums
Windows Server TechCenter > Windows Server Forums > Directory Services > Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

Discussion Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

    •  
      Monday, February 22, 2010 6:28 AM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Question

       

      Some customers would like to know how the user password is stored in Active Directory and how to view and modify it.

       

       

      Answer

       

      The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

       

      This unicodePwd attribute can be written under restricted conditions, but it cannot be read due to security reasons. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

       

      More Information

       

      How To Change a Windows 2000 User's Password Through LDAP

      http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190

       

      How to set a user's password with Ldifde

      http://support.microsoft.com/default.aspx?scid=kb;EN-US;263991

       

      Should you worry about password cracking?

      http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx

       

      How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

      http://support.microsoft.com/kb/299656

       

      Applies to

       

      Windows Server 2003/R2, Windows Server 2008/R2