Any way to see an Active Directory password?
Before you jump to conclusions, let me explain. We have a password reset tool that is not working. For some reason when you use it, it resets your password to some unknown value (Not what you changed it to, or what it was before). I have setup a test "user" in the appropriate OU, and I want to be able to see what the reset tool is changing the password to. That way maybe I can maybe understand what's going on. Any help would be greatly appreciated.
AD passwords (just like Windows ones) are stored using non-reversible encryption, so the standard answer is a definite "NO".
There is a GPO settings that will tell AD (or any Windows system) to store passwords using reversible encryption, but there is no built-in tool to decrypt them (although there is some documentation floating around on how to do that). Of course, this is exactly as insecure as it looks.
If you need to see the plain text of what it's setting it to, and you can't get the reset tool to spit that info out itself, then you have two options: enabling reversible encryption, or using a password filter.
With reversible encryption, you can get at the original password, but it's not a pleasant process.
With a password filter, you can dump out all password changes to text, but that's obviously not a good thing for security when it comes to your non-test users.
If you only need to see the hash to see if it was set correctly, though, then you can dump the hash database and compare.