Welcome to the MacNN Forums.

zerostar · Jul 6, 2007, 10:51 AM

Hey there, I have admin access to a Win2K SBS Box, I want to know if there is any tool to view a users active directory account password... I would like to log-on to some machines to troubleshoot (since the problem only happens as a user not as an admin) but don't want to be changing passwords.

Let me know if this is possible at all... Of course Microsoft said AD can't be cracked.. blah.

larkost · Jul 6, 2007, 01:46 PM

Why don't you simply create a non-admin test user? Cracking your end-users passwords is never a good idea. If there is something you are trying to do without your end user knowing it, it is probably not a good idea.

ghporter · Jul 6, 2007, 05:52 PM

Active Directory uses Kerberos for password authentication. If you have a few supercomputers lying around doing nothing and the users used particularly short passwords, you might crack them. They ARE computationally secure.

And not only is cracking passwords a bad idea from a security standpoint, it can be against your company's policy, and it can be seen as hacking-even if you're supposed to be fixing something. Do what larkost says and create a new user. If the problem doesn't crop up when that user account is used, get with the people who reported it and tell 'em you're going to reset their passwords. Being up front about any password stuff is much better than hiding what you're doing.

besson3c · Jul 6, 2007, 06:09 PM

Originally Posted by ghporter

Active Directory uses Kerberos for password authentication. If you have a few supercomputers lying around doing nothing and the users used particularly short passwords, you might crack them. They ARE computationally secure.

And not only is cracking passwords a bad idea from a security standpoint, it can be against your company's policy, and it can be seen as hacking-even if you're supposed to be fixing something. Do what larkost says and create a new user. If the problem doesn't crop up when that user account is used, get with the people who reported it and tell 'em you're going to reset their passwords. Being up front about any password stuff is much better than hiding what you're doing.

Just FYI, Active Directory does not use MIT Kerberos, but its own modified Microsoft version of Kerberos that is based on MIT.

zerostar · Jul 6, 2007, 09:35 PM

didn't even think of that I will try the new user, thanks. I was doing this more of a convince so they didn't need to change their passwords back but ill do that if necessary.

ghporter · Jul 7, 2007, 06:01 AM

Originally Posted by besson3c

Just FYI, Active Directory does not use MIT Kerberos, but its own modified Microsoft version of Kerberos that is based on MIT.

From the standpoint of someone trying to break a user's password, I don't think there's a functional difference. It's a modification in the protocols to exchange hashes if I read things correctly, not in the hashing itself. In any case, at the desktop level the difference is trivial; nobody is going to casually break such a password.

larkost · Jul 7, 2007, 11:23 AM

Rather than attacking the Kerberos part of it, you could just attack the local cache of the password on the machine. Probably a bit easier... but still not a good idea.

ghporter · Jul 7, 2007, 01:38 PM

Yeah, any "attack" is a bad idea. Create a new account, check for the problem, if you can't reproduce it, talk to user who reported problem and have THEM SHOW YOU the problem. I've found that it's very interesting how "expected, normal behavior" is seen as a problem when the users don't know as much as they think they do.