locked
Domain Password History RRS feed

  • Question

  • Hi Admins, this might be a simple question but I cannot find the answer when searching. 

    I am working with PCIDSS Certification and one item asks for users to be forced in changing the password every 90 days. This has been set already. My question is, where do I see the password history for a particular user? I understand that this will not be displayed as plain text, but hashes. We can I find this information please? Thank you. 


    Saturday, September 19, 2015 8:17 PM

All replies

  • The password history is stored in two attributes:

    • lmPwdHistory  for the LM Hashes
    • ntPwdHistory for the NT Hashes

    Of course you cannot read them and there is no API exposing them. Now I am not sure what you are going to use this information for. You cannot read them so you can't event tell how many are in it...

    If you want to know when was the last time a user changed its password you can read the pwdLastSet attribute, which is readable. If you want to know how many times a user changed its password or in another words, how many time the password of a user changed, you can read the replication metadata of the unicodePwd attribute. In PowerShell it will look like:

    Get-ADUser -Identity bob | Get-ADReplicationAttributeMetadata -server DC01 -Attribute unicodePwd | Select Object, Version, LastOriginatingChangeTime
    
    
    
    


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, September 19, 2015 11:32 PM
  • Thanks Pierre. I just need the screenshot for PCIDSS auditors. They asked that screen shot as an evidence that the active directory remembers at least for previous passwords so when a user changes it, AD will now allow a previously used password. 

    Where can I view "lmPwdHistory  for the LM Hashes" please so I can get a screen shot? Thank you. 

    Sunday, September 20, 2015 2:07 PM
  • Take a screenshot of the output from: 

    Get-ADDefaultDomainPasswordPolicy

    e.g.





    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    • Proposed as answer by Mike Crowley Sunday, September 20, 2015 2:50 PM
    Sunday, September 20, 2015 2:50 PM
  • Hi Mike, I already have that. Thanks. What I need is a screen shot that shows AD remembers history passwords of at least for. 

    Some that shows previous passwords from users in hash form. 

    The password history is stored in two attributes:

    • lmPwdHistory  for the LM Hashes
    • ntPwdHistory for the NT Hashes

    Where and how can I view the contents of lmPwdHistory  please? 

    Sunday, September 20, 2015 5:07 PM
  • the PasswordHistoryCount from the above is exactly what you're asking. In the example above, its 24.



    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Sunday, September 20, 2015 5:12 PM
  • You can't.

    These are not exposed. If you want to crack your AD database, then this is not the right forum anymore :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, September 20, 2015 9:18 PM
  • Hi Mike, I already have that. Thanks. What I need is a screen shot that shows AD remembers history passwords of at least for. 

    Some that shows previous passwords from users in hash form. 

    The password history is stored in two attributes:

    • lmPwdHistory  for the LM Hashes
    • ntPwdHistory for the NT Hashes

    Where and how can I view the contents of lmPwdHistory  please? 

    If I am not wrong you cannot read the Hashes for security reasons. 

    This question has been ask also quite a few times on this forum and conclusions is Hashes cannot be read.

    Check out this thread which is quite similar on what you are trying to achieve:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/63e3cf2d-f186-418e-bc85-58bdc1861aae/view-password-hash-in-active-directory?forum=winserverfiles


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes

    Monday, September 21, 2015 1:01 AM
  • not sure what happened to my previous reply, but the field you're asking about is PasswordHistoryCount and is indeed shown above. In this case, it has a value of 24.



    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Monday, September 21, 2015 5:48 PM
  • Hi Mike and cguan. I am not looking to crack those passwords. All I need is a screen shot that shows those passwords are remembered and hashed by Active Directory. That is what the PCIDSS Auditors want. Something like below.

    User1

    Pass1 3r23933299(hashed)

    Pass2 3323243242(hashed)

    Pass3 3323243243(hashed)

    Pass4 efdsfdsf2342(hashed)

    Is where can I get that screen shot please?

    Thursday, September 24, 2015 5:31 PM
  • I am positive PCI compliance does not require this, but I did find a tool that might expose the hash values:

    search this article for: "The credentials section in the graphic above shows the current NTLM hashes as well as the password history"




    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Tuesday, October 13, 2015 9:27 PM
  • Great, helped a lot!

    Get-ADUser -filter {enabled -eq $True -and samaccountname -notlike 'svc*'} | Get-ADReplicationAttributeMetadata -server localhost -Attribute unicodePwd | Select Version,LastOriginatingChangeTime,Object | Export-Csv -Path c:\temp\test.csv -NoTypeInformation

    Wednesday, June 3, 2020 7:08 PM