Get Password for Active Directory user

Posted on 2008-06-11
Last Modified: 2008-06-12
I am working with active directory through asp.net2.0.i need to get one Active directory user's password using LDAP.I am not sure how to do this.I used the below script which gave me when the password was last set,whether it was expired etc..,.But i need to see the password for that particular active directory user
Option Explicit

Dim objUser, strUserDN, objShell, lngBiasKey, lngBias, k

Dim objRootDSE, strDNSDomain, objDomain, objMaxPwdAge, intMaxPwdAge

Dim objDate, dtmPwdLastSet, lngFlag, blnPwdExpire, blnExpired

Dim lngHighAge, lngLowAge



' Hard code user Distinguished Name.

Set objUser = GetObject("LDAP://<GUID=c64b2d9f-4e41-4528-9573-6bebb0800336>")

' Obtain local time zone bias from machine registry.

Set objShell = CreateObject("Wscript.Shell")

lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _

    & "TimeZoneInformation\ActiveTimeBias")

If (UCase(TypeName(lngBiasKey)) = "LONG") Then

    lngBias = lngBiasKey

ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then

    lngBias = 0

    For k = 0 To UBound(lngBiasKey)

        lngBias = lngBias + (lngBiasKey(k) * 256^k)


End If

' Determine domain maximum password age policy in days.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("DefaultNamingContext")

Set objDomain = GetObject("LDAP://" & strDNSDomain)

Set objMaxPwdAge = objDomain.MaxPwdAge

' Account for bug in IADslargeInteger property methods.

lngHighAge = objMaxPwdAge.HighPart

lngLowAge = objMaxPwdAge.LowPart

If (lngLowAge < 0) Then

    lngHighAge = lngHighAge + 1

End If

intMaxPwdAge = -((lngHighAge * 2^32) _

    + lngLowAge)/(600000000 * 1440)

' Retrieve user password information.

Set objDate = objUser.PwdLastSet

dtmPwdLastSet = Integer8Date(objDate, lngBias)

lngFlag = objUser.Get("userAccountControl")

blnPwdExpire = True

If ((lngFlag And ADS_UF_PASSWD_CANT_CHANGE) <> 0) Then

    blnPwdExpire = False

End If

If ((lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0) Then

    blnPwdExpire = False

End If

' Determine if password expired.

blnExpired = False

If (blnPwdExpire = True) Then

    If (DateDiff("d", dtmPwdLastSet, Now) > intMaxPwdAge) Then

        blnExpired = True

    End If

End If

' Display password information.

Wscript.Echo "User: " & strUserDN & vbCrLf & "Password last set: " _

    & dtmPwdLastSet & vbCrLf & "Maximum password age (days): " _

    & intMaxPwdAge & vbCrLf & "Can password expire? " & blnPwdExpire _

    & vbCrLf & "Password expired? " & blnExpired

' Clean up.

Set objUser = Nothing

Set objShell = Nothing

Set objRootDSE = Nothing

Set objDomain = Nothing

Set objMaxPwdAge = Nothing

Set objDate = Nothing

Function Integer8Date(ByVal objDate, ByVal lngBias)

    ' Function to convert Integer8 (64-bit) value to a date, adjusted for

    ' local time zone bias.

    Dim lngAdjust, lngDate, lngHigh, lngLow

    lngAdjust = lngBias

    lngHigh = objDate.HighPart

    lngLow = objdate.LowPart

    ' Account for bug in IADslargeInteger property methods.

    If (lngLow < 0) Then

        lngHigh = lngHigh + 1

    End If

    If (lngHigh = 0) And (lngLow = 0) Then

        lngAdjust = 0

    End If

    lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _

        + lngLow) / 600000000 - lngAdjust) / 1440

    Integer8Date = CDate(lngDate)

End Function

Open in new window

Question by:rathiagu
LVL 65

Accepted Solution

RobSampson earned 125 total points
Comment Utility
Hi, you can never see, or obtain, the password for an Active Directory user. That would breach the security measures that Windows attempts to put in place.

The only thing you can do as an administrator is reset the password, but you can never identify the current password, unless the user tells you it.



Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now