Can a password change in Active Directory be reverted?
I often need to log in with a user's domain account to make sure that I've set up their profile correctly, but there's no easy way to do this other than to call them and give them a temp pass and force them to change it (bad, since they often forget it,) or ask for their password (worse.)
Is there any way to change a user's password, then set it back to the original later? I tried to see if there was any way to get the NTLM hash so I could set it back later, but there doesn't seem to be a facility for that built into AD.
Solution 1:
In Windows XP, right click on the My Computer
icon and choose Properties
. In the dialog box that opens, choose the Advanced
tab. There will now be a User Profiles
button. Click that and you should be able to choose your user's profile from a list. Click the Copy To
button. On the dialog that opens, there's an option to give other people access to log on to a profile. You have to copy it back and forth a couple times and you need to own two user accounts, but you can use this to tweak a user's profile without knowing their password.
First, copy the other user's profile to the folder your alternate user account would use, taking care to give that account access to log on the profile. Log on with that account and do whatever you want to the profile. Then, log back on with your original account and delete the user's original profile. Now copy the profile changed by your alt account back to it's original location, taking care to give the original user access to the profile again.
If this is for a new computer setup, where the original user has never logged in, you can do this copying your nicely configured profile over the default profile.
It's worth noting that this answer is only any good because you tagged the question windows-xp
. The process no longer works on Windows 7, as there are some registry settings that are not handled very well by the copy profile process. Rather than updating the Copy Profile process, Microsoft chose to simply disable the Copy button. You can find hacks to re-enable it, but none of the fix the reason the button was disabled and so they should be avoided.
Solution 2:
You can't restore a previous password without doing a restoration of the AD object (and it's not obvious nor usable for a daily use).
You may force the temporary password several times (exactly "Number of password remembered") so that the user could change his password to the value he used before your changes. I think you could do it with a script if the "Number of password remembered" is high.
This way, you don't have to know his password, and he won't forget his "new" password. But you still have to call him to tell him his "temp" password.
En batch :
FOR /L %B IN (1,1,<num>) DO NET USER <user> <tmppassword> /DOMAIN
where <num>
is the number of remembered passwords in your AD group policy, <user>
is the username (pre-windows 2000), and <tmppassword>
is the temporary password given to your user.