Solved

Access the user details within AD

Posted on 2010-09-15
10
634 Views
Last Modified: 2012-05-10
I just posted the following question and this response was very helpful...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26476787.html#a33688351

Now that I understand this info, I have follow up questions related to the data within the AD files.

We have a group policy defined to remember the last 5 passwords that a user uses so they do not reuse it. Guessing password details are maintained in the AD data. Specifically stuff like date the password was last changed and history of the last 5 passwords.

Presuming this is the case...

(1) Is there a utility we could use to view the contents of the AD data file?

(2) Or how can we connect to NTDS.DIT via MS SQL?

0
Comment
Question by:bnrtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 33688482
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33688499
password last set you can get  using a great tool like adfind by Joe Richards  see my example

http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Excel/Q_24302833.html

other command line tools like powershell, dstools, csvde and scripts with vbscript and other methods can also pull info/reports

You could also use acctinfo.dll to add a tab in ADUC  http://www.computerperformance.co.uk/w2k3/utilities/acctinfo.htm


As far as extracting the actual passwords.  That is not possible the passwords are stored as a unicode pwd attribute  http://msdn.microsoft.com/en-us/library/ms680513(VS.85).aspx

stored as a hash that can't be cracked, awesome blog by Jesper on that subject  http://blogs.technet.com/b/jesper_johansson/archive/2005/10/13/410470.aspx

As far as SQL....I'll let the SQL guys handle that.  Linked server and ADO.net are two ways...I'm by no means an expert there

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33688510
You won't be able to get the passwords if you mount the database using dsamain...talk about a security risk :)

by the way that article is wrong it is dsamain not dsamin.

thanks

Mike
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:bnrtech
ID: 33688590
mkline71

Thanks once again for the good info. I think what would apply to us the best is when you mentioned acctinfo.dll to add a tab in ADUC  http://www.computerperformance.co.uk/w2k3/utilities/acctinfo.htm

I went to this hyperlink and followed the instructions to download and register acctinfo.dll. However when I go to register it I get the error noted in the attached image.

Any ideas?

acctinfo.jpg
0
 

Author Comment

by:bnrtech
ID: 33688603
From a command line I have tried to run regsvr32 acctinfo and regsvr32 acctinfo.dll

Maybe I should be doing something different since my server is a 64bit setup?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33688648
damn,  yeah it won't work on x32....and version 2 is not available publicly  via the Microsoft site  http://www.open-a-socket.com/index.php/2010/04/27/64-bit-version-of-acctinfo2dll/

but Tony did put up the x64 version   http://www.open-a-socket.com/index.php/2010/04/27/64-bit-version-of-acctinfo2dll/

I haven't downloaded that yet but I'm going to load it in my 2008 R2 lab this weekend (forgot to do it)

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33697782
ok just tested that acctinfo2 on my 2008R2 test DC and it works.  Make sure to follow the directions in the word document that comes with it.  You have to register it but also have to make a change using adsiedit.msc

See screenshot from my lab box

Thanks

Mike
acctinfo2-tab.PNG
0
 

Author Comment

by:bnrtech
ID: 33810833
going to this site next week and will update ths question
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34689999
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question