Obtaining User passwords

Is there a tool or a piece of software out there that I can have in my AD domain that will log username and passwords?

jimmy1264Asked:
Who is Participating?
 
redseatechnologiesConnect With a Mentor Commented:
Hi jimmy1264,

This is verging on a hacking question - infact, I think it is.

So, the answer is, no, there is no way to log users passwords from active directory.

When I need a users password, I ask for it, or manually reset it.  If you are not in a position to do the same, then you are not in a position to ask how to bypass your environment

-red
0
 
legalsrlCommented:
Agree with RedSea.....

There are plenty of tools available on the internet to sniff out passwords, but I don't want to provide any links to them.

Many good AV tools will also detect and remove these programs automatically.

Why do you need to log username and passwords ?

Cheers
Si
0
 
jimmy1264Author Commented:
We recently let a member of the IT department go. Since before that we kept track of all user passwords on a document, we no longer have them. We need to keep track of them so we can work on their systems when they are away from their desks or on weekends. Trying to avoid door knocking everyone to update the list again.

thanks for the input,

Jim
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ChatableCommented:
First question - why not just use your domain admin privileges to access their computers?
If you really need this, you might try to check out pwdump2 - which will work on the AD only if you are already a domain admin...
0
 
redseatechnologiesCommented:
I never understood why people would want to record user passwords.

First, it should be regularly changed (making tracking a pain).  Second, it can always be reset if you need to log on as the user (or if they forget it).  Third it is a really poor security practice to have passwords written down, the more passwords in the one place, the worse that is.

-red
0
 
Rich RumbleSecurity SamuraiCommented:
You do not need the password records, as pointed out above, what's the point? you can reset a password to a known value anytime you wish, you can also run an audit on passwords, JohnTheRipper and PwDump are a good combination, as is RainbowCrack or OphCrack. There are no tools to "instantly" show you the pass's except a keylogger, and if you need the pass in a few minutes or an hour, use a rainbow table, that is if the pass is under 14 chars. If it's longer, then brute-force will be the next step. Writing down the pass's in one location is an added and unnecessary security risk.
-rich
0
 
ChatableCommented:
This kind of issues always make me wonder why Windows will not allow you to su into any user from Administrator...
0
 
Rich RumbleSecurity SamuraiCommented:
Runas is more like SU than Sudo, and it's a good start for M$, but it's pretty late in the game, even when win2k first introduced it. Others have written windows shells that use runas and it's API to be "more unix" like in your daily tasks, this is a great site to look at for tools that help you to implement the Principal of least privilege:
http://nonadmin.editme.com/ and a link from that site is "sudo for windows" http://sourceforge.net/project/showfiles.php?group_id=143653&package_id=157780&release_id=427299
-rich
0
 
ChatableCommented:
richrumble - runas will not allow you to execute programs as a certain user without his/her password even if you are system / administrator.
0
 
Rich RumbleSecurity SamuraiCommented:
True, I wasn't thinking :) Indeed, runas is more like su than it is sudo.
-rich
0
 
jimmy1264Author Commented:
Look at you guys go back and forth...

 - Yes I can use my Domain Admin privileges to log into the computer
 - Yes I can reset the password if I have to work on the computer - Then I would still have to obtain the information verbally from the user to reset the password back because Attorneys don't like change.

When diagnosing a desktop issue , profile corruption, Word, DM5 anomalies, Outlook email folder problems  - YOU HAVE to log in as the user otherwise what's the point.
0
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
If the users are logged in, why not try an application like VNC, they remain logged in, and you take over the mouse/keyboard ? Then you don't need to know their pass, and they don't need to tell you, it's still a secret. There are many flavors of VNC, some encrypted some not, still the principal is the same, you take over their session without logging them off or the need to login as them. If they are not logged in, verbally get the password from them, or indicate to them that you will reset the pass, and afterward they will have to change it when they login, and you place a check-box next to the "change password upon next login" depending on your password policies, they might even be able to use the old pass.
-rich
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.