Solved

Get Password for Active Directory user

Posted on 2008-06-11
2
9,828 Views
Last Modified: 2008-06-12
I am working with active directory through asp.net2.0.i need to get one Active directory user's password using LDAP.I am not sure how to do this.I used the below script which gave me when the password was last set,whether it was expired etc..,.But i need to see the password for that particular active directory user
Option Explicit
 

Dim objUser, strUserDN, objShell, lngBiasKey, lngBias, k

Dim objRootDSE, strDNSDomain, objDomain, objMaxPwdAge, intMaxPwdAge

Dim objDate, dtmPwdLastSet, lngFlag, blnPwdExpire, blnExpired

Dim lngHighAge, lngLowAge
 

Const ADS_UF_PASSWD_CANT_CHANGE = &H40

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
 

' Hard code user Distinguished Name.
 

Set objUser = GetObject("LDAP://<GUID=c64b2d9f-4e41-4528-9573-6bebb0800336>")
 

' Obtain local time zone bias from machine registry.

Set objShell = CreateObject("Wscript.Shell")

lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _

    & "TimeZoneInformation\ActiveTimeBias")

If (UCase(TypeName(lngBiasKey)) = "LONG") Then

    lngBias = lngBiasKey

ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then

    lngBias = 0

    For k = 0 To UBound(lngBiasKey)

        lngBias = lngBias + (lngBiasKey(k) * 256^k)

    Next

End If
 

' Determine domain maximum password age policy in days.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("DefaultNamingContext")

Set objDomain = GetObject("LDAP://" & strDNSDomain)

Set objMaxPwdAge = objDomain.MaxPwdAge
 

' Account for bug in IADslargeInteger property methods.

lngHighAge = objMaxPwdAge.HighPart

lngLowAge = objMaxPwdAge.LowPart

If (lngLowAge < 0) Then

    lngHighAge = lngHighAge + 1

End If

intMaxPwdAge = -((lngHighAge * 2^32) _

    + lngLowAge)/(600000000 * 1440)
 

' Retrieve user password information.

Set objDate = objUser.PwdLastSet

dtmPwdLastSet = Integer8Date(objDate, lngBias)

lngFlag = objUser.Get("userAccountControl")

blnPwdExpire = True

If ((lngFlag And ADS_UF_PASSWD_CANT_CHANGE) <> 0) Then

    blnPwdExpire = False

End If

If ((lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0) Then

    blnPwdExpire = False

End If
 

' Determine if password expired.

blnExpired = False

If (blnPwdExpire = True) Then

    If (DateDiff("d", dtmPwdLastSet, Now) > intMaxPwdAge) Then

        blnExpired = True

    End If

End If
 

' Display password information.

Wscript.Echo "User: " & strUserDN & vbCrLf & "Password last set: " _

    & dtmPwdLastSet & vbCrLf & "Maximum password age (days): " _

    & intMaxPwdAge & vbCrLf & "Can password expire? " & blnPwdExpire _

    & vbCrLf & "Password expired? " & blnExpired
 

' Clean up.

Set objUser = Nothing

Set objShell = Nothing

Set objRootDSE = Nothing

Set objDomain = Nothing

Set objMaxPwdAge = Nothing

Set objDate = Nothing
 

Function Integer8Date(ByVal objDate, ByVal lngBias)

    ' Function to convert Integer8 (64-bit) value to a date, adjusted for

    ' local time zone bias.

    Dim lngAdjust, lngDate, lngHigh, lngLow

    lngAdjust = lngBias

    lngHigh = objDate.HighPart

    lngLow = objdate.LowPart

    ' Account for bug in IADslargeInteger property methods.

    If (lngLow < 0) Then

        lngHigh = lngHigh + 1

    End If

    If (lngHigh = 0) And (lngLow = 0) Then

        lngAdjust = 0

    End If

    lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _

        + lngLow) / 600000000 - lngAdjust) / 1440

    Integer8Date = CDate(lngDate)

End Function

Open in new window

0
Comment
Question by:rathiagu
2 Comments
 
LVL 65

Accepted Solution

by:
RobSampson earned 125 total points
ID: 21764251
Hi, you can never see, or obtain, the password for an Active Directory user. That would breach the security measures that Windows attempts to put in place.

The only thing you can do as an administrator is reset the password, but you can never identify the current password, unless the user tells you it.

Regards,

Rob.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Create New Attributes in Active Directory Schema 9 39
Missing Sysvol 13 30
cant install rsat on win 7 13 43
Batch/VBScript : Disable Windows tasks 7 22
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now