Re: can an AD password be read?

From: jgershater (jgershater_at_discussions.microsoft.com)
Date: 12/15/04


Date: Tue, 14 Dec 2004 17:19:01 -0800

so what does this "reversible encryption" setting mean.
It seems to imply that p/w are stored in plaintext, so thus they should be
readable, no?
Please provide a more detailed answer - Thank You

Store password using reversible encryption for all users in the domain
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

Description
Determines whether Windows 2000 will store passwords using reversible
encryption.

The intent of this policy is to provide support for applications which use
protocols that require knowledge of the user password for authentication
purposes. Storing passwords using reversible encryption is essentially the
same as storing clear-text versions of the passwords. For this reason, this
policy should never be enabled unless application requirements outweigh the
need to protect password information.

"Joe Kaplan (MVP - ADSI)" wrote:

> No, the attribute is write only.
>
> Joe K.
>
> "jgershater" <jgershater@discussions.microsoft.com> wrote in message
> news:3101A9F0-E0FD-4775-B359-01960A79FF10@microsoft.com...
> >I have been able to connect to AD over SSL and read every attribute, EXCEPT
> > unicodePwd.
> >
> > According to this:
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/505.asp
> > passwords can be stored in plaintext.
> > does this mean the password can be read by a perl program (assuming I
> > connect to AD over SSL) ?
> >
> > I ask because according to this, passwords cannot be read:
> > http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q269/1/90.ASP&NoWebContent=1
> >
> >
> >
>
>
>