Solved

Obtaining User passwords

Posted on 2006-10-19
14
270 Views
Last Modified: 2013-12-04
Is there a tool or a piece of software out there that I can have in my AD domain that will log username and passwords?

0
Comment
Question by:jimmy1264
  • 4
  • 3
  • 2
  • +3
14 Comments
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 125 total points
ID: 17771795
Hi jimmy1264,

This is verging on a hacking question - infact, I think it is.

So, the answer is, no, there is no way to log users passwords from active directory.

When I need a users password, I ask for it, or manually reset it.  If you are not in a position to do the same, then you are not in a position to ask how to bypass your environment

-red
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17771937
Agree with RedSea.....

There are plenty of tools available on the internet to sniff out passwords, but I don't want to provide any links to them.

Many good AV tools will also detect and remove these programs automatically.

Why do you need to log username and passwords ?

Cheers
Si
0
 

Author Comment

by:jimmy1264
ID: 17774407
We recently let a member of the IT department go. Since before that we kept track of all user passwords on a document, we no longer have them. We need to keep track of them so we can work on their systems when they are away from their desks or on weekends. Trying to avoid door knocking everyone to update the list again.

thanks for the input,

Jim
0
 
LVL 7

Expert Comment

by:Chatable
ID: 17777100
First question - why not just use your domain admin privileges to access their computers?
If you really need this, you might try to check out pwdump2 - which will work on the AD only if you are already a domain admin...
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17778015
I never understood why people would want to record user passwords.

First, it should be regularly changed (making tracking a pain).  Second, it can always be reset if you need to log on as the user (or if they forget it).  Third it is a really poor security practice to have passwords written down, the more passwords in the one place, the worse that is.

-red
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17786220
You do not need the password records, as pointed out above, what's the point? you can reset a password to a known value anytime you wish, you can also run an audit on passwords, JohnTheRipper and PwDump are a good combination, as is RainbowCrack or OphCrack. There are no tools to "instantly" show you the pass's except a keylogger, and if you need the pass in a few minutes or an hour, use a rainbow table, that is if the pass is under 14 chars. If it's longer, then brute-force will be the next step. Writing down the pass's in one location is an added and unnecessary security risk.
-rich
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 7

Expert Comment

by:Chatable
ID: 17786845
This kind of issues always make me wonder why Windows will not allow you to su into any user from Administrator...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17787974
Runas is more like SU than Sudo, and it's a good start for M$, but it's pretty late in the game, even when win2k first introduced it. Others have written windows shells that use runas and it's API to be "more unix" like in your daily tasks, this is a great site to look at for tools that help you to implement the Principal of least privilege:
http://nonadmin.editme.com/ and a link from that site is "sudo for windows" http://sourceforge.net/project/showfiles.php?group_id=143653&package_id=157780&release_id=427299
-rich
0
 
LVL 7

Expert Comment

by:Chatable
ID: 17792952
richrumble - runas will not allow you to execute programs as a certain user without his/her password even if you are system / administrator.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17795038
True, I wasn't thinking :) Indeed, runas is more like su than it is sudo.
-rich
0
 

Author Comment

by:jimmy1264
ID: 17796315
Look at you guys go back and forth...

 - Yes I can use my Domain Admin privileges to log into the computer
 - Yes I can reset the password if I have to work on the computer - Then I would still have to obtain the information verbally from the user to reset the password back because Attorneys don't like change.

When diagnosing a desktop issue , profile corruption, Word, DM5 anomalies, Outlook email folder problems  - YOU HAVE to log in as the user otherwise what's the point.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 17797614
If the users are logged in, why not try an application like VNC, they remain logged in, and you take over the mouse/keyboard ? Then you don't need to know their pass, and they don't need to tell you, it's still a secret. There are many flavors of VNC, some encrypted some not, still the principal is the same, you take over their session without logging them off or the need to login as them. If they are not logged in, verbally get the password from them, or indicate to them that you will reset the pass, and afterward they will have to change it when they login, and you place a check-box next to the "change password upon next login" depending on your password policies, they might even be able to use the old pass.
-rich
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21101085
Forced accept.

Computer101
EE Admin
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now