Re: can an AD password be read?

From: jgershater (jgershater_at_discussions.microsoft.com)
Date: 12/15/04


Date: Tue, 14 Dec 2004 17:19:01 -0800

so what does this "reversible encryption" setting mean.
It seems to imply that p/w are stored in plaintext, so thus they should be
readable, no?
Please provide a more detailed answer - Thank You

Store password using reversible encryption for all users in the domain
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

Description
Determines whether Windows 2000 will store passwords using reversible
encryption.

The intent of this policy is to provide support for applications which use
protocols that require knowledge of the user password for authentication
purposes. Storing passwords using reversible encryption is essentially the
same as storing clear-text versions of the passwords. For this reason, this
policy should never be enabled unless application requirements outweigh the
need to protect password information.

"Joe Kaplan (MVP - ADSI)" wrote:

> No, the attribute is write only.
>
> Joe K.
>
> "jgershater" <jgershater@discussions.microsoft.com> wrote in message
> news:3101A9F0-E0FD-4775-B359-01960A79FF10@microsoft.com...
> >I have been able to connect to AD over SSL and read every attribute, EXCEPT
> > unicodePwd.
> >
> > According to this:
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505.asp
> > passwords can be stored in plaintext.
> > does this mean the password can be read by a perl program (assuming I
> > connect to AD over SSL) ?
> >
> > I ask because according to this, passwords cannot be read:
> > http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q269/1/90.ASP&NoWebContent=1
> >
> >
> >
>
>
>



Relevant Pages

  • Re: Handheld device remote networking issues into RAS
    ... I know what setting you are talking about in AD to store all passwords in the ... This is off by default in server 2003. ... >> The user domain\user failed an authentication attempt due to the ... >> passwords with reversible encryption, but it is considered a security ...
    (microsoft.public.windows.server.networking)
  • Re: Problems with Digest Authentication
    ... Even when I adjust the old accounts to use reversible encryption and reset the passwords, I still can't login to my webapplications. ... > installing the webserver, I can't authenticate. ...
    (microsoft.public.inetserver.iis)
  • Re: IAS and MD5 error
    ... > a way not have to use the reversible encryption? ... I do not want to use MD5 ... > and I do not want to have to force the users to change their passwords to ... > get the authentication to work. ...
    (microsoft.public.windows.server.security)
  • Re: Problems with Digest Authentication
    ... First you need to change the option for the user account (store password ... reversible encryption and reset the passwords, I still can't login to my ... >> You need to get your existing users to change their passwords. ...
    (microsoft.public.inetserver.iis)
  • Re: Reading UserPassword from AD
    ... I'm storing the passwords in AD as plaintext using reversible encryption. ... The purpose here is to export the Username and password read from AD to ...
    (microsoft.public.win2000.active_directory)