none
View Password HIstory= Active Directory

    Question

  • Hi all,
    I am administrator of 500 users. I want to view the password hashes of my users. How can i do it??? I know windows saves the users passwords in Hash format.??? Which hash format is used and how secure is it???? How does the administrator use the Password History feature ??? How does windows check the previous passwords stored in the password history???Can you please help me with the same by explaining the process...Note that my query is with respect to Active Directory users.
    Tuesday, April 14, 2009 1:19 PM

Answers

  • Pasword history compliance is determined based on the comparison of password hashes...

    hth
    Marcin
    Tuesday, April 14, 2009 7:14 PM
  • Hi,

    Before going further, let’s clarify how Windows store password.

    Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database (C:\Windows\System32\config\SAM file) or in Active Directory(C:\Windows\NTDS\ntds.dit file on DCs).

    You can force Windows to use NT Hash password. For detailed information, please refer to the following article.
    How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
    http://support.microsoft.com/kb/299656

    After you configure Password History, Active Directory service will check the password hash stored in AD database to determine if user meet the requirement. Administrator doesn’t need to view or use password hash.

    Regarding the security of password, the following article may be helpful.

    Should you worry about password cracking?
    http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, April 15, 2009 7:16 AM

All replies

  • either sha-1 or md5 both are very secure and only 1 way. what password history feature are you talking about?
    Tuesday, April 14, 2009 1:43 PM
  • Pasword history compliance is determined based on the comparison of password hashes...

    hth
    Marcin
    Tuesday, April 14, 2009 7:14 PM
  • Hi,

    Before going further, let’s clarify how Windows store password.

    Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database (C:\Windows\System32\config\SAM file) or in Active Directory(C:\Windows\NTDS\ntds.dit file on DCs).

    You can force Windows to use NT Hash password. For detailed information, please refer to the following article.
    How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
    http://support.microsoft.com/kb/299656

    After you configure Password History, Active Directory service will check the password hash stored in AD database to determine if user meet the requirement. Administrator doesn’t need to view or use password hash.

    Regarding the security of password, the following article may be helpful.

    Should you worry about password cracking?
    http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, April 15, 2009 7:16 AM