Showing users password in: Ative Directory Users and Computers

[Mikkelrompe]

Hi

I'm working as a network user administrator in an Entreprise. The sofware that i am currently using to manage the accounts and users is: Active Directory Users and Computers Version 6.1.7601.17514.
As we all know, humans are not infallible. Sometimes users forget their password, and contact me. The only way for me to do something about that, is to reset the users password and e-mail it to them (as far as i know).

Issue: Is there a way to show the users current passwords?

 

[Frosty is a Snowman]

I have to be honest I don't think you can, but I would be disgusted if you could.

As far as I am aware all users passwords on AD are encrypted so you never get to see the password, and only the user should know the password.
This allows you to have an IT policy and accountability when a certain user account performs an action that is against the IT policy.
And a log is kept of all password resets so you know which admin reset their password.
Without this type of basic security your entire operation is open to major abuse.

As I said I don't think you can, but that is not a 100% fact answer, just basic logical thinking.


I also don't see your point in needing to find out this information.
As surely it would take just as long to check what they set their password to, as it does to reset the password.
If they keep forgetting their password, set up a password management system, so that the users can reset their own password, without the need to bother you

 

[carnageX]

Been using AD for a little while in a basic way at 2 places I've worked now, and neither place allowed passwords to be visible. Like Frosty said, pretty sure it's just not possible (and I agree with him, I would be disappointed if you could enable that option).

 

[office politics]

AD passwords are hashed in the SAM file. You'll want to protect this file on your domain as it can be brute forced by use of rainbow tables. Also, windows desktops usually cache passwords for when the pc cannot contact a domain controller.

It is my personal policy to never email passwords in clear text. I would call them and leave a voicemail if necessary.

keep in mind, AD has the option to force the user to change their password at next login. This can be used to make the password you set to be temporary and allow the user to reset it to something of their liking.

 

[Mikkelrompe]

Thanks for quick and constructive replies! I really had not thought about it that way before (as i am new to this kind of business) As you said the potential of missuse is absolutely present. The best solution then, i think, will be to add a self serviced password reseting function. This will probably ease up on the workload a bit aswell. Again, thanks

 

[office politics]

i think many websites have a good setup for self serve password resets. The user clicks forgot password, they may need to provide some personal info to authenicate the user, then a email is sent to the email on file, and the user clicks a link to get a prompt to reset the password.