Backup AD Account Password?

[systemx17]

Is this possible:

1) 'Backup' encrypted Active Directory (win2k3/win2k7 domain) user password string

2) Change the password and perform administrative tasks

3) Restore the encrypted AD user password string

For use of administrators instead of having to deal with end l'users having a sad about their password being reset after hours?

[Sparda]

If you are an admin on the domain controller why would you need the users password?

[systemx17]

As above:

"For use of administrators instead of having to deal with end l'users having a sad about their password being reset after hours?"

I don't need the password, I don't want the password - I just want to put it back in place when I am finished in their account.

If you are an admin on the domain controller why would you need the users password?

[Sparda]

Your an administrator... you can change any thing...

[systemx17]

Not too sure you understand what I mean. Yes, as administrator I can change anything, but that doesn't mean I can change it back.

Here is a scenario to explain it clearer:

Working back after hours and I need to test a recently installed application for a user. I know that their application configuration is specific to their installation on their PC. I want to login as the user, but I don't know their password. They are one of my lawyer clients and don't tollerate changes that delay their working day. I can change their password, but I would have to let them know the new password before they return to work at 6am.

So what I want to be able to do is to store their encrypted password, then change it to whatever I like. Complete the work then restore their original password.

So even though I may be able to change things, I can't restore them back to their original state without running a full server restore from when their password hadn't changed - which is not an option.

[Netshroud]

like Kon-Boot over a domain?

[systemx17]

As I understand, Kon-Boot can only get you local access anyway for domain accounts. This wouldn't be exactly like the standard operation of the user.

[Sparda]

Take an image of there machine (or copy of there profile). Make the profile (on the image) the default profile, login as a different user. The different user will now have the same profile but with a different user name.

[systemx17]

There has been some good thoughts so far on some alternative options, so I am enclined to think this might not be possible. Does anyone know for sure that it's not? Anyone got any ideas on the theory behind it rather than the alternatives?

I am really looking for an answer to the question "Can Active Directory encrypted passwords be extracted, reset then put back in place? And would the original hash still result in the same password for the user once it has been restored?"

Thanks for the input so far..

[VaKo]

http://www.jms1.net/nt-unlock.shtml

There are various options, but they all essentially boil down to recoverying and cracking stored passwords from either the local system or the domain controller. Google for the specfics. Howevery, by cracking the stored passwords DB on a regular basis your setting yourself up to fail, either becauses you become known as someone who has access to *everything* or something will go wrong eventually. Make your users understand that a password will be provided, or devise a method of texting passwords to the user in the case there account needs to be unlocked.

[wh1t3 and n3rdy]

I'm unsure as to what administrative task you would really need to perform from their account. If we need to do anything we just RDP in or if it's to do something on their account we use remote assistance.

What sort of work do you need to perform on their machines?

[VaKo]

If said user goes home and needs something done on there profile you need to be logged in for, and you know they will be in the office 3hrs before your even planning to wake up, you can't use remote admin tools and you can't just reset the password and pretend its a system quirk in the morning.

Personally, I have found that the only way this will work is if you get them to give you a cell phone number, reset the password, and text them the replacement. The other option is to tell them "i might have to reset your password, if I do it will be XxxXxxX" before hand. Make this a known password and you won't have to tell them, although this is being pragmatic at the sake of security.

A 3rd option is to have a self-service password reset tool, like Specops Password Reset (FYI there marketing person comes on *real* strong, kept calling me up for chats about the software) or Sysops Tools Password Reset Pro. With this you can spend your entire day resetting random accounts passwords and not get a single helpdesk call.

[wh1t3 and n3rdy]

A 3rd option is to have a self-service password reset tool, like Specops Password Reset (FYI there marketing person comes on *real* strong, kept calling me up for chats about the software) or Sysops Tools Password Reset Pro. With this you can spend your entire day resetting random accounts passwords and not get a single helpdesk call.

We use one of these and it seems to be helping us somewhat.

[ArXiX]

Rather than change the password, I can think of 2 options that can work better and probably a lot easier. I would choose option 2 of security and to keep it more MS/AD oriented rather than adding more applications.

1. You could just remote desktop in using VNC or the alike. To make it more secure, set the service to manual, remote manage to the machine, turn it on, do what you need to do, then disable the service. That way its there and installed, but an admin has to manually start the service for it to work.

2. I remember using a feature of MSTSC/RDP where you can view and control a screen while having the target user still logged in. This is great if you want them to reproduce a problem they are having without leaving your desk OR to do something as someone else like you are talking about. Somewhere in the Group Policy's in AD there is a check box to allow remote users in a specific goup to view or view & control a session. I know I used it on a box set up for TS clients to connect to, but I am almost sure that there is a way to do this on normal desktop boxes.

I will google for the how to page that I used a few years back and report back if/when I find it. If anyone else knows finds its first, please post it up.

-ArXiX

EDIT:

Found something about it here:

http://www.msterminalservices.org/articles...oup-Policy.html

Most of the way down, search for "Set rules for remote control of Terminal Services user sessions" also known as Shadow sessions. I think this might still work even if its not on a TS box. If it doesn't, install Ultra VNC and call it a win.

[wh1t3 and n3rdy]

2. I remember using a feature of MSTSC/RDP where you can view and control a screen while having the target user still logged in. This is great if you want them to reproduce a problem they are having without leaving your desk OR to do something as someone else like you are talking about. Somewhere in the Group Policy's in AD there is a check box to allow remote users in a specific goup to view or view & control a session. I know I used it on a box set up for TS clients to connect to, but I am almost sure that there is a way to do this on normal desktop boxes.

We use remote assistance. I launch mine from a cmd run as my support account.

c:>rcontrol soeXXXXX

EDIT: you can rcontrol to the ip address too if the DNS is fucking up.

They accept the request and then you take control. Only down side you cant see them move mouse cursor.

[ArXiX]

They accept the request and then you take control. Only down side you cant see them move mouse cursor.

That wont work if he needs to do it after hours, but it is a way of doing it if he can get them to do it at the end of the business day.

-ArXiX

[wh1t3 and n3rdy]

If there is the need to work whilst logged into their account then they either accepts the fact you have to reset it or you do those jobs during work hours. You can only bend over so far to help before it starts fucking with your own work. End users don't rule the world.

[VaKo]

True, but I put this to you. When dealing with executives and the like, playing the "we don't bend over backwards for users" card has to be done carefully. In truth, IT support staff (especially so for helpdesk) are effectively digital plumbers, hired purely to keep the systems running so other people can actually get on with the actual buisness of the company. You need to be pragmatic and know where and how to bend the rules, and where you shouldn't. This is a fairly easy problem to solve, either text/blackberry the user the password upon reset, agree on one beforehand or setup a self service password reset system. That way you and the user can both do the work you need to at times that work for both of you.

[wh1t3 and n3rdy]

End users know when we are available to reach, the SLA time for most issues and what can and can't be done by us instantly, as well as the process for requesting resources etc. The more prudent ones use their heads and work with us and help us resolve the issue sooner. The ones that leave shit till the last minute and then demand high priority end up shit out of luck. We are held to a set of KPI and a priority matrix, which takes precedence. Vital things naturally have a higher priority. We support 10,000 end users over 3 companies that supply the electricity to the entire state. We don't have time to mince around with whingers or people who are totally inept. The policy is in place and until it's changed or special circumstances arise, we stick to it.

[systemx17]

Wow, there are a few different techniques that everyone uses by the sounds of it. And for the most part, all would be more effective than the current situation. The only big challange proposted for the most part is that the user's account would need to be logged in as the specific user for at the time for and VNC/Remote Assistance.

I will be taking some of the information for other tasks, such as the "I may change your password, if I do it will be ...". It will work for some of my clients. I don't really feel the security is kept free from a 'hands on hardware' situation unless the users lock their phone with a code though. I do see the benefit for easing the interruption to the user.

I was having a think about dumping the hashes remotely over the network or from the user's terminal and essentially trying to decrypt their password with Rainbow Tables. This won't obviously work in some situations (due to the limitations of dumping hashes), but I believe I could write a simple remote script to echo back the dump to the server for decryption. This poses a number of questions and possible security risks, but I believe it might work for what I am trying to achieve...

Anyone got any thoughts? I probably won't have time to get back on here for a couple of days, so I might just have a read of anything posted, before starting out.

Thanks for all the sweet tasty info so far..

[wh1t3 and n3rdy]

I definitely advise against cracking end user passwords. I think that basically co-ordination between your self and the user is the best option. Get them to leave there PC on during lunch or schedule a time. Not the most convenient option but I think the best. End users having to constantly invent new passwords pisses them off pretty quick especially when they try to keep them all the same across multiple systems.

[MRGRIM]

i) Get the user to provide the current password. Inform then that upon their return they will need to enter a new password [make sure you check this option on their AD account]

ii) Before carrying work out on the users system inform them that their password will be reset to xxxxxxx e.t.c

I guess you're in a real pickle and the above doesn't help you out, but it should do going forward.

[ArXiX]

So what did you end up doing?