Solved

Access the user details within AD

Posted on 2010-09-15
10
596 Views
Last Modified: 2012-05-10
I just posted the following question and this response was very helpful...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26476787.html#a33688351

Now that I understand this info, I have follow up questions related to the data within the AD files.

We have a group policy defined to remember the last 5 passwords that a user uses so they do not reuse it. Guessing password details are maintained in the AD data. Specifically stuff like date the password was last changed and history of the last 5 passwords.

Presuming this is the case...

(1) Is there a utility we could use to view the contents of the AD data file?

(2) Or how can we connect to NTDS.DIT via MS SQL?

0
Comment
Question by:bnrtech
10 Comments
 
LVL 7

Expert Comment

by:kumarnirmal
Comment Utility
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
Comment Utility
password last set you can get  using a great tool like adfind by Joe Richards  see my example

http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Excel/Q_24302833.html

other command line tools like powershell, dstools, csvde and scripts with vbscript and other methods can also pull info/reports

You could also use acctinfo.dll to add a tab in ADUC  http://www.computerperformance.co.uk/w2k3/utilities/acctinfo.htm


As far as extracting the actual passwords.  That is not possible the passwords are stored as a unicode pwd attribute  http://msdn.microsoft.com/en-us/library/ms680513(VS.85).aspx

stored as a hash that can't be cracked, awesome blog by Jesper on that subject  http://blogs.technet.com/b/jesper_johansson/archive/2005/10/13/410470.aspx

As far as SQL....I'll let the SQL guys handle that.  Linked server and ADO.net are two ways...I'm by no means an expert there

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You won't be able to get the passwords if you mount the database using dsamain...talk about a security risk :)

by the way that article is wrong it is dsamain not dsamin.

thanks

Mike
0
 

Author Comment

by:bnrtech
Comment Utility
mkline71

Thanks once again for the good info. I think what would apply to us the best is when you mentioned acctinfo.dll to add a tab in ADUC  http://www.computerperformance.co.uk/w2k3/utilities/acctinfo.htm

I went to this hyperlink and followed the instructions to download and register acctinfo.dll. However when I go to register it I get the error noted in the attached image.

Any ideas?

acctinfo.jpg
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:bnrtech
Comment Utility
From a command line I have tried to run regsvr32 acctinfo and regsvr32 acctinfo.dll

Maybe I should be doing something different since my server is a 64bit setup?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
damn,  yeah it won't work on x32....and version 2 is not available publicly  via the Microsoft site  http://www.open-a-socket.com/index.php/2010/04/27/64-bit-version-of-acctinfo2dll/

but Tony did put up the x64 version   http://www.open-a-socket.com/index.php/2010/04/27/64-bit-version-of-acctinfo2dll/

I haven't downloaded that yet but I'm going to load it in my 2008 R2 lab this weekend (forgot to do it)

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
ok just tested that acctinfo2 on my 2008R2 test DC and it works.  Make sure to follow the directions in the word document that comes with it.  You have to register it but also have to make a change using adsiedit.msc

See screenshot from my lab box

Thanks

Mike
acctinfo2-tab.PNG
0
 

Author Comment

by:bnrtech
Comment Utility
going to this site next week and will update ths question
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now