Mailing List Message #92417
From: Thom O'Connor <>
Subject: Re: with AD
Date: Fri, 31 Aug 2007 21:17:58 -0700
To: <>
From:   "Eric Chamberlain"
>> -----Original Message----- Behalf Of Thom O'Connor Another
>> possibility is to figure out how to "automatically" copy or
>> replicate the user's plain-text (or obfuscated but not encrypted)
>> password in Active Directory into a second custom attribute in
>> Active Directory - for example, create a custom attribute in Active
>> Directory called "userPassword", and have this attribute filled by
>> the user's new password automatically whenever a user modifies
>> their password. Then, configure to simply retrieve
>> this alternate field. This would probably require some
>> domain-controller-level scripting on the AD side of thing, and
>> again - not being AD experts - we welcome any thoughts on this.
> I explored this in a past life, when I was managing a 60,000 user AD
> forest.
> The easiest way to get at the raw password in a Windows Domain is to
> write a custom password filter
> <>. The filter
> plugs into the Domain Controller LSA process and would save the raw
> password into another LDAP attribute.
> This method doesn't require a change in user behavior or hacking core
> Windows files. The filter dll can even be managed and deployed to
> each Domain Controller via Group Policies.

Yes, that seems very workable. The DLL function is here:
> PasswordChangeNotify
> The PasswordChangeNotify function is implemented by a password filter
> DLL. It is used to notify the DLL that a password was changed.
> NTSTATUS PasswordChangeNotify(
>   ULONG RelativeId,
> );
> Parameters
> UserName
>     [in] Account name of the user whose password changed.
> RelativeId
>     [in] Relative identifier (RID) of the user specified in UserName.
> NewPassword
>     [in] New plaintext password for the user specified in UserName. When
> you have finished using the password, clear the information by calling
> the SecureZeroMemory function. For more information about protecting
> passwords, see Handling Passwords.

And there are Online References and examples around:

All this DLL should need to do is copy (or ldap modify) it plain-text or
Base64 encoded into a separate attribute in AD - "userPassword" would
seem ideal for this and with any luck would even already be in the MS
schema. Anyone up to writing this? Cheers,
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster