Mailing List Message #92416
From: Eric Chamberlain <>
Subject: RE: with AD
Date: Fri, 31 Aug 2007 17:08:41 -0700
To: CommuniGate Pro Discussions <>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.5/1.2.12
> -----Original Message-----
> From: CommuniGate Pro Discussions [] On
> Behalf Of Thom O'Connor
> Sent: Friday, August 31, 2007 4:37 PM
> To: CommuniGate Pro Discussions
> Subject: Re: with AD
> Another possibility is to figure out how to "automatically" copy or
> replicate the user's plain-text (or obfuscated but not encrypted)
> password in Active Directory into a second custom attribute in Active
> Directory - for example, create a custom attribute in Active Directory
> called "userPassword", and have this attribute filled by the user's new
> password automatically whenever a user modifies their password. Then,
> configure to simply retrieve this alternate field. This
> would probably require some domain-controller-level scripting on the AD
> side of thing, and again - not being AD experts - we welcome any
> thoughts on this.

I explored this in a past life, when I was managing a 60,000 user AD forest.

The easiest way to get at the raw password in a Windows Domain is to write a custom password filter <>.  The filter plugs into the Domain Controller LSA process and would save the raw password into another LDAP attribute.  

This method doesn't require a change in user behavior or hacking core Windows files.  The filter dll can even be managed and deployed to each Domain Controller via Group Policies.

Eric Chamberlain, CISSP

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster