How can i get the password for a user from Active Directory
问题:
回答1:
Simple, you cannot. Passwords are not stored in nearly all authentication systems. Instead, they are converted into a 'hash' that is stored instead. Then, when you want to prove that you know the password, you convert the password you type into a hash using the same algorithm and compare that to the stored data.
Some use public/private keys to perform the hashing, some use alternative algorithms. None of them can "un-convert" the hash back into the original password.
回答2:
Administrators do not have access to users passwords, only the ability to change them.
回答3:
You'll need administrative access to a domain controller to get the hashes. You'll then need to use a hash cracker, such as Cain, to see if you can recover the passwords. If the password is not simple, this could take days or years.
Note that this is illegal in most situations, and it's usual to reset passwords rather than recover them.
回答4:
You cannot get the password stored in Active Directory because they are stored as hashes. The only time you can learn of a password in Active Directory is when it is being set, but for that you need a password filter in place, and to put the paassword filter in place, you have to be an admin on a Domain Controller.
You can also not change a user's password because changing a password requires that you know the user's existing password. You can only reset a user's password, but for that you need to have Reset Password rights on the user account.
Resetting a user's password is an administrative task that is often delegated to junior administrators, and in most cases delegated admins can reset user account passwords.
If interested, there is a good discussion about the difference between changing an Active Directory user account password and resetting an Active Directory user account password here:
http://www.activedirsec.org/t43140076/what-is-the-difference-between-the-change-password-and-reset/
回答5:
By default active directory is configured to utilize a hashed algorithm to store user passwords. You can however override that default and utilize symmetric (reversible) encryption instead. This does allow for the password to be retrieved via the standard APIs available. Here's a link on symmetric encryption with AD.
In addition, as another poster mentioned you can utilize a password filter to capture password changes and the new passwords when users change them. Other than that passwords must be reset. Hashes are not meant to be broken or recovered, thats the whole point.
回答6:
Programmatically through supported API's you can't read the passwords from Active Directory but you can get to the passwords at the point in time when they are set by implementing a Password Filter.
回答7:
I doubt very much if this is possible considering it is a password. But you might have better luck asking this in ServerFault?
I'm not sure if you will be able to get access, but once its out of beta you'll be able to register.