Re: [ActiveDir] Storage of AD passwords???

[Brent Westmoreland]

The AD attribute for a user object password is a unicodePwd.  If you 
use the inetOrgPerson object (which Joe strongly disagrees with) that 
is available in windows server 2003;  the password will be concurrently 
stored in the userPassword and unicodePwd attribute.  The values of 
these attributes are typically not visible from any of the various and 
sundry administrative tools.

Windows 2000 uses the RC4-HMAC 128 bit Cipher as the default Kerberos 
Encryption type.  This was due to export restrictions of DES that were 
in place at the time of Windows 2000 release.  Msft did add support for 
DES prior to win2k release.   Any user in an AD domain that has changed 
his/her password will have both RC4 and DES keys associated with 
his/her account.


On Apr 29, 2004, at 9:33 AM, Douglas M. Long wrote:
I have been looking for how Active Directory stores passwords, and 
have had
no luck. Does anyone know what format the password is stored (eg crypt,
md5)? Also, what is the password attribute (is it userPassword)? TYIA

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/