Back up and restore Active Directory password per user
Since MarkM already explained why we shouldn't replace and restore user passwords, I'll try to address how the system prevents us from making those changes.
In Unix, the password hashes were originally stored in /etc/passwd
and could be read by anyone. Realizing that this allowed any user to potentially steal passwords, newer unix systems store the password hashes in /etc/shadow
which is only readable by root
.
Windows followed a similar path. In a domain environment, the password hashes of domain users are stored in the SAM registry hive on each domain controller. You're probably already familiar with hives like HKLM and HKCU.
Starting with Windows 2000, the SAM hive is encrypted with a 128-bit password encryption key, which is itself encrypted using the SYSKEY. It should be apparent that since the operating system must read the contents of the hive in order to authenticate users at logon, the encryption key must be saved on the computer somewhere. For more in-depth coverage of the obfuscation techniques that are used, check out SysKey and the SAM.
Windows tries very hard to prevent administrative users from being able to read/write the hashes directly, and normally only lsass.exe
running as the SYSTEM
user is able to read the hashes.
However, I'm sure you've encountered tools that bypass these protections. For example, fgdump
is capable of exporting password hashes from a live system by injecting code into lsass.exe
, although that can potentially crash the entire system. And there are a wide variety of bootable tools that can overwrite password hashes when Windows isn't running.
Although it is theoretically possible to replace user passwords, you'll first need to circumvent a wide variety of protections built into the Windows operating system. Any of these methods have the potential to destabilize your system, and should never be used in a production environment.
No, you can't.
Food for thought: If you work for a company of moderate size, there's likely a policy in place disallowing people in IT (or other areas) from impersonating other users without their explicit consent. If your company doesn't have a policy like this in place, you should strongly consider it.