none
Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

    General discussion

  • Question

     

    Some customers would like to know how the user password is stored in Active Directory and how to view and modify it.

     

     

    Answer

     

    The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

     

    This unicodePwd attribute can be written under restricted conditions, but it cannot be read due to security reasons. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

     

    More Information

     

    How To Change a Windows 2000 User's Password Through LDAP

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190

     

    How to set a user's password with Ldifde

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;263991

     

    Should you worry about password cracking?

    http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx

     

    How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

    http://support.microsoft.com/kb/299656

     

    Applies to

     

    Windows Server 2003/R2, Windows Server 2008/R2
    Monday, February 22, 2010 6:28 AM

All replies

  • For those who like to dig deeper, here is a complete list of password hashes stored in ntds.dit files:

    • MD4 (aka NT Hash) - Used for NTLM authentication.
    • LM Hash - Disabled by default since Windows Server 2003 (for a very good reason). Used for LM authentication.
    • DES_CBC_MD5 - Salted with user logon name and hashed 4096 times using MD5. Used for Kerberos authentication.
    • AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96 - Used for Kerberos authentication since Windows Server 2008. Salted with user logon name and hashed 4096 times using HMAC-SHA1.
    • 29 MD5 hashes, each using a different combination of login and domain name. Used for WDigest authentication
    • Reversibly encrypted cleartext password - Disabled by default. Required by MS-CHAPv1 RADIUS authentication.
    If you want to see those hashes for yourself, you can use the DSInternals PowerShell Module I have created for this purpose.
    Sunday, October 25, 2015 10:57 AM