Back up and restore Active Directory password per user

password active-directory

Since MarkM already explained why we shouldn't replace and restore user passwords, I'll try to address how the system prevents us from making those changes.

In Unix, the password hashes were originally stored in /etc/passwd and could be read by anyone. Realizing that this allowed any user to potentially steal passwords, newer unix systems store the password hashes in /etc/shadow which is only readable by root.

Windows followed a similar path. In a domain environment, the password hashes of domain users are stored in the SAM registry hive on each domain controller. You're probably already familiar with hives like HKLM and HKCU.

Starting with Windows 2000, the SAM hive is encrypted with a 128-bit password encryption key, which is itself encrypted using the SYSKEY. It should be apparent that since the operating system must read the contents of the hive in order to authenticate users at logon, the encryption key must be saved on the computer somewhere. For more in-depth coverage of the obfuscation techniques that are used, check out SysKey and the SAM.

Windows tries very hard to prevent administrative users from being able to read/write the hashes directly, and normally only lsass.exe running as the SYSTEM user is able to read the hashes.

However, I'm sure you've encountered tools that bypass these protections. For example, fgdump is capable of exporting password hashes from a live system by injecting code into lsass.exe, although that can potentially crash the entire system. And there are a wide variety of bootable tools that can overwrite password hashes when Windows isn't running.

Although it is theoretically possible to replace user passwords, you'll first need to circumvent a wide variety of protections built into the Windows operating system. Any of these methods have the potential to destabilize your system, and should never be used in a production environment.


No, you can't.

Food for thought: If you work for a company of moderate size, there's likely a policy in place disallowing people in IT (or other areas) from impersonating other users without their explicit consent. If your company doesn't have a policy like this in place, you should strongly consider it.

Related

SSH Error: unknown key type '-----BEGIN'
Is it possible to run a command on windows server from Linux?
Software RAID underneath ESXi datastore
How can I perform a syntax check on an .htaccess file in a shared hosting environment?
Maximum number of users on Linux
attaching usb dongle to KVM VM
"500 OOPS: vsftpd: refusing to run with writable root inside chroot()" - login failed on Debian
Purchasing a license for enterprise GNU/Linux
Why do tracert latencies not add up to ping latency?
How to configure postfix to only send to whitelisted addresses?
Unable to access Jenkins server
How do I troubleshoot my RAID array?