[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Access the user details within AD

Posted on 2010-09-15
10
Medium Priority
?
644 Views
Last Modified: 2012-05-10
I just posted the following question and this response was very helpful...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26476787.html#a33688351

Now that I understand this info, I have follow up questions related to the data within the AD files.

We have a group policy defined to remember the last 5 passwords that a user uses so they do not reuse it. Guessing password details are maintained in the AD data. Specifically stuff like date the password was last changed and history of the last 5 passwords.

Presuming this is the case...

(1) Is there a utility we could use to view the contents of the AD data file?

(2) Or how can we connect to NTDS.DIT via MS SQL?

0
Comment
Question by:bnrtech
9 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33688499
password last set you can get  using a great tool like adfind by Joe Richards  see my example

http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Excel/Q_24302833.html

other command line tools like powershell, dstools, csvde and scripts with vbscript and other methods can also pull info/reports

You could also use acctinfo.dll to add a tab in ADUC  http://www.computerperformance.co.uk/w2k3/utilities/acctinfo.htm


As far as extracting the actual passwords.  That is not possible the passwords are stored as a unicode pwd attribute  http://msdn.microsoft.com/en-us/library/ms680513(VS.85).aspx

stored as a hash that can't be cracked, awesome blog by Jesper on that subject  http://blogs.technet.com/b/jesper_johansson/archive/2005/10/13/410470.aspx

As far as SQL....I'll let the SQL guys handle that.  Linked server and ADO.net are two ways...I'm by no means an expert there

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33688510
You won't be able to get the passwords if you mount the database using dsamain...talk about a security risk :)

by the way that article is wrong it is dsamain not dsamin.

thanks

Mike
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:bnrtech
ID: 33688590
mkline71

Thanks once again for the good info. I think what would apply to us the best is when you mentioned acctinfo.dll to add a tab in ADUC  http://www.computerperformance.co.uk/w2k3/utilities/acctinfo.htm

I went to this hyperlink and followed the instructions to download and register acctinfo.dll. However when I go to register it I get the error noted in the attached image.

Any ideas?

acctinfo.jpg
0
 

Author Comment

by:bnrtech
ID: 33688603
From a command line I have tried to run regsvr32 acctinfo and regsvr32 acctinfo.dll

Maybe I should be doing something different since my server is a 64bit setup?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33688648
damn,  yeah it won't work on x32....and version 2 is not available publicly  via the Microsoft site  http://www.open-a-socket.com/index.php/2010/04/27/64-bit-version-of-acctinfo2dll/

but Tony did put up the x64 version   http://www.open-a-socket.com/index.php/2010/04/27/64-bit-version-of-acctinfo2dll/

I haven't downloaded that yet but I'm going to load it in my 2008 R2 lab this weekend (forgot to do it)

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33697782
ok just tested that acctinfo2 on my 2008R2 test DC and it works.  Make sure to follow the directions in the word document that comes with it.  You have to register it but also have to make a change using adsiedit.msc

See screenshot from my lab box

Thanks

Mike
acctinfo2-tab.PNG
0
 

Author Comment

by:bnrtech
ID: 33810833
going to this site next week and will update ths question
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34689999
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question