Is there any way to view users passwords in Server 2003 AD ?

We run a server 2003 SP2 domain, us Administrators have a list of all users 
password on a spreadsheet, locked up. We need their passwords in the event we 
must sign onto their computers as an admin while they are away, we log back 
into the computer with their user name/password when done. You would be 
surprised how many people "do not" look at the user name when they log on - 
we had panic --- I can not log in, we go to their desktop and the user name 
is that of one of the administrators - user did not look.

So the problem is when they change their passwords --- we ask for their new 
password. We were searching around the net and so far found no way to view 
their passwords in AD, just wondering --- if there is something we are 
missing, anyone know a way to view users passwords in AD 2003 ? And this is 
all legit, users and managers know that we have and need their passwords --- 
we are trust worthy in our shop.

Thanks,
Bob

Hello Bob,

No, the passwords aren't viewable, they are stored in a hash. And for god 
this isn't possible. Me as a user wouldn't like that someone knows my password.

If you have the need for logon that's why you are admin and can do what you 
like on the machine. Even if  auser is looged in as an admin you can kick 
him out without any problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> Is there any way to view users passwords in Server 2003 AD ?
> 
> We run a server 2003 SP2 domain, us Administrators have a list of all
> users password on a spreadsheet, locked up. We need their passwords in
> the event we must sign onto their computers as an admin while they are
> away, we log back into the computer with their user name/password when
> done. You would be surprised how many people "do not" look at the user
> name when they log on - we had panic --- I can not log in, we go to
> their desktop and the user name is that of one of the administrators -
> user did not look.
> 
> So the problem is when they change their passwords --- we ask for
> their new password. We were searching around the net and so far found
> no way to view their passwords in AD, just wondering --- if there is
> something we are missing, anyone know a way to view users passwords in
> AD 2003 ? And this is all legit, users and managers know that we have
> and need their passwords --- we are trust worthy in our shop.
> 
> Thanks,
> Bob

As noted, you cannot retrieve the passwords from AD. No user should ever 
tell you what their password is. If a user tells you their password, you 
should require that they change it immediately. This has nothing to do with 
how trustworthy you are. You don't want to know users' passwords, and you 
certainly don't want to store them anywhere.

Most things an administrator needs to do on a computer can be done remotely. 
If an administrator must log into a workstation, users will just need to pay 
attention.

-- 
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message 
news:6cb2911d100418ccb51db655414e@msnews.microsoft.com...
> Hello Bob,
>
> No, the passwords aren't viewable, they are stored in a hash. And for god 
> this isn't possible. Me as a user wouldn't like that someone knows my 
> password.
>
> If you have the need for logon that's why you are admin and can do what 
> you like on the machine. Even if  auser is looged in as an admin you can 
> kick him out without any problem.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and 
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Is there any way to view users passwords in Server 2003 AD ?
>>
>> We run a server 2003 SP2 domain, us Administrators have a list of all
>> users password on a spreadsheet, locked up. We need their passwords in
>> the event we must sign onto their computers as an admin while they are
>> away, we log back into the computer with their user name/password when
>> done. You would be surprised how many people "do not" look at the user
>> name when they log on - we had panic --- I can not log in, we go to
>> their desktop and the user name is that of one of the administrators -
>> user did not look.
>>
>> So the problem is when they change their passwords --- we ask for
>> their new password. We were searching around the net and so far found
>> no way to view their passwords in AD, just wondering --- if there is
>> something we are missing, anyone know a way to view users passwords in
>> AD 2003 ? And this is all legit, users and managers know that we have
>> and need their passwords --- we are trust worthy in our shop.
>>
>> Thanks,
>> Bob
>
> 

On Wed, 28 Apr 2010 07:35:02 -0700, Bob
<Bob@discussions.microsoft.com> wrote:

>
>Is there any way to view users passwords in Server 2003 AD ?
>
>We run a server 2003 SP2 domain, us Administrators have a list of all users 
>password on a spreadsheet, locked up. We need their passwords in the event we 
>must sign onto their computers as an admin while they are away, we log back 
>into the computer with their user name/password when done. You would be 
>surprised how many people "do not" look at the user name when they log on - 
>we had panic --- I can not log in, we go to their desktop and the user name 
>is that of one of the administrators - user did not look.
>
>So the problem is when they change their passwords --- we ask for their new 
>password. We were searching around the net and so far found no way to view 
>their passwords in AD, just wondering --- if there is something we are 
>missing, anyone know a way to view users passwords in AD 2003 ? And this is 
>all legit, users and managers know that we have and need their passwords --- 
>we are trust worthy in our shop.
>
>Thanks,
>Bob

As Meinolf and Richard stated, this is not possible.

If it were possible, I don't believe AD would be a viable and secure
product to run a secure environment and not many would consider it's
use.


Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On Apr 28, 1:43=A0pm, "Ace Fekay [MVP - Directory Services, MCT]"
<ace...@mvps.RemoveThisPart.org> wrote:
> On Wed, 28 Apr 2010 07:35:02 -0700, Bob
>
>
>
>
>
> <B...@discussions.microsoft.com> wrote:
>
> >Is there any way to view users passwords in Server 2003 AD ?
>
> >We run a server 2003 SP2 domain, us Administrators have a list of all us=
ers
> >password on a spreadsheet, locked up. We need their passwords in the eve=
nt we
> >must sign onto their computers as an admin while they are away, we log b=
ack
> >into the computer with their user name/password when done. You would be
> >surprised how many people "do not" look at the user name when they log o=
n -
> >we had panic --- I can not log in, we go to their desktop and the user n=
ame
> >is that of one of the administrators - user did not look.
>
> >So the problem is when they change their passwords --- we ask for their =
new
> >password. We were searching around the net and so far found no way to vi=
ew
> >their passwords in AD, just wondering --- if there is something we are
> >missing, anyone know a way to view users passwords in AD 2003 ? And this=
 is
> >all legit, users and managers know that we have and need their passwords=
 ---
> >we are trust worthy in our shop.
>
> >Thanks,
> >Bob
>
> As Meinolf and Richard stated, this is not possible.
>
> If it were possible, I don't believe AD would be a viable and secure
> product to run a secure environment and not many would consider it's
> use.
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and con=
fers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit amo=
ng responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, ple=
ase contact Microsoft PSS directly. Please checkhttp://support.microsoft.co=
mfor regional support phone numbers.- Hide quoted text -
>
> - Show quoted text -

Although  the MVPs who have chimed are correct for normal situations,
but I have heard plenty of use cases where it would be completely
valid for the admins to know every user's password. This is typically
the case where the information worker staff is highly transitory or
performing some trivial task.

If the admins do have a valid case for persisting user passwords then
you can install a password filter/notification DLL on your domain
controllers. This does not allow you to retrieve existing passwords,
but will allow you to collect them as they are created and changed.
This is typically a development task which consists of compiling the
SDK sample (assuming you can still find it) but there may be freeware
versions out there.

HTH,
Dave

"DaveMo" <david.mowers@gmail.com> wrote in message 
news:4bd19147-4822-42ec-b91b-48b5c4df3fd6@t26g2000prt.googlegroups.com...
On Apr 28, 1:43 pm, "Ace Fekay [MVP - Directory Services, MCT]"
<ace...@mvps.RemoveThisPart.org> wrote:
> On Wed, 28 Apr 2010 07:35:02 -0700, Bob
>
>
>
>
>
> <B...@discussions.microsoft.com> wrote:
>
> >Is there any way to view users passwords in Server 2003 AD ?
>
> >We run a server 2003 SP2 domain, us Administrators have a list of all 
> >users
> >password on a spreadsheet, locked up. We need their passwords in the 
> >event we
> >must sign onto their computers as an admin while they are away, we log 
> >back
> >into the computer with their user name/password when done. You would be
> >surprised how many people "do not" look at the user name when they log 
> >on -
> >we had panic --- I can not log in, we go to their desktop and the user 
> >name
> >is that of one of the administrators - user did not look.
>
> >So the problem is when they change their passwords --- we ask for their 
> >new
> >password. We were searching around the net and so far found no way to 
> >view
> >their passwords in AD, just wondering --- if there is something we are
> >missing, anyone know a way to view users passwords in AD 2003 ? And this 
> >is
> >all legit, users and managers know that we have and need their 
> >passwords ---
> >we are trust worthy in our shop.
>
> >Thanks,
> >Bob
>
> As Meinolf and Richard stated, this is not possible.
>
> If it were possible, I don't believe AD would be a viable and secure
> product to run a secure environment and not many would consider it's
> use.
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and 
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit 
> among responding engineers, and to help others benefit from your 
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, 
> please contact Microsoft PSS directly. Please 
> checkhttp://support.microsoft.comfor regional support phone numbers.- Hide 
> quoted text -
>
> - Show quoted text -

Although  the MVPs who have chimed are correct for normal situations,
but I have heard plenty of use cases where it would be completely
valid for the admins to know every user's password. This is typically
the case where the information worker staff is highly transitory or
performing some trivial task.

If the admins do have a valid case for persisting user passwords then
you can install a password filter/notification DLL on your domain
controllers. This does not allow you to retrieve existing passwords,
but will allow you to collect them as they are created and changed.
This is typically a development task which consists of compiling the
SDK sample (assuming you can still find it) but there may be freeware
versions out there.

HTH,
Dave
-------------------------

I guess I have seen similar situations, like classroom training sessions, or 
a temporary contractor. Perhaps it would be easier in these cases to not 
allow the user to change their password. They would use the password you 
initially provide. Just recognize that the account could be one where many 
people potentially know the password, so it should be restricted. You could 
reset the password just before giving the new password to the user, then 
reset it when the user is finished, or reset it yourself periodically and 
communicate the new password to the user.

-- 
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--