none
Forum FAQ: How is user password of user objects stored in Active Directory? Can I view it? Can I modify it?

    General discussion

  • Question

     

    Some customers would like to know how the user password is stored in Active Directory and how to view and modify it.

     

     

    Answer

     

    The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

     

    This unicodePwd attribute can be written under restricted conditions, but it cannot be read due to security reasons. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

     

    More Information

     

    How To Change a Windows 2000 User's Password Through LDAP

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190

     

    How to set a user's password with Ldifde

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;263991

     

    Should you worry about password cracking?

    http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx

     

    How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

    http://support.microsoft.com/kb/299656

     

    Applies to

     

    Windows Server 2003/R2, Windows Server 2008/R2
    Monday, February 22, 2010 6:28 AM

All replies

  • For those who like to dig deeper, here is a complete list of password hashes stored in ntds.dit files:

    • MD4 (aka NT Hash) - Used for NTLM authentication.
    • LM Hash - Disabled by default since Windows Server 2003 (for a very good reason). Used for LM authentication.
    • DES_CBC_MD5 - Salted with user logon name and hashed 4096 times using MD5. Used for Kerberos authentication.
    • AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96 - Used for Kerberos authentication since Windows Server 2008. Salted with user logon name and hashed 4096 times using HMAC-SHA1.
    • 29 MD5 hashes, each using a different combination of login and domain name. Used for WDigest authentication
    • Reversibly encrypted cleartext password - Disabled by default. Required by MS-CHAPv1 RADIUS authentication.
    If you want to see those hashes for yourself, you can use the DSInternals PowerShell Module I have created for this purpose.
    Sunday, October 25, 2015 10:57 AM
  • Sir,

             Could you please tell us the new password encryption system of Windows 10 after its anniversary update?

    Regards,

    kadari shivraj

    Friday, March 9, 2018 7:13 AM
  • Thanks for posting the above explanation Michael,

    That is the clearest explanation of this topic I have seen and I live the DSInternal module :)

    The above, makes sense to me. and this is what I see when I look inside the database so it all makes send to me

    However, when I look at other sites that talks about RC4 like the following link for example

    http://www.activedir.org/thread/active-directory-password-storage-specifics/

    I think of RC4 as a stream encryption protocol and not a hashing protocol? as also noted here https://en.wikipedia.org/wiki/RC4

    I know can use a stream cypher as a block cypher (by dividing up streams of bytes into pre-defined block sizes) but normally better to use a cypher designed as a block cypher in the first place (I believe)

    Therefore, when people say the uses password is stored in AD using RC4 is occurs to me this is incorrect or was the RC4 cypher used as a block cypher in earlier versions of windows and would therefore be used in place in your Kerberos example below, or am I miss-understanding something?

    ·        MD4 (aka NT Hash) - Used for NTLM authentication.

    ·        LM Hash - Disabled by default since Windows Server 2003 (for a very good reason). Used for LM authentication.

    ·        DES_CBC_MD5 - Salted with user logon name and hashed 4096 times using MD5. Used for Kerberos authentication.

    ·        AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96 - Used for Kerberos authentication since Windows Server 2008. Salted with user logon name and hashed 4096 times using HMAC-SHA1.

    ·        29 MD5 hashes, each using a different combination of login and domain name. Used for WDigest authentication

    ·        Reversibly encrypted cleartext password - Disabled by default. Required by MS-CHAPv1 RADIUS authentication.

     

    When it comes to MD4 is this use to store the NTLMv2 hash is above it just mentions to NTLM has (e.g. could mean v1 protocol).

    Can you please help me with the above to clarify my understanding please?

    Also, on related note (to  further help me understand) AES is a block cypher using a ‘symmetric key’, also HMAC (hash based message authentication code), need a ‘key’ (sympatric key). So both AES and HMAC require a ‘symmetric’ key to encrypt (and therefore decrypt) the data. Is this key simply derived from the SHA1 hash of the user’s password?

    Thanks very much in advance

    __CAshtones

    Monday, July 30, 2018 9:49 AM