How to save/restore a Windows AD password?

password windows active-directory

Solution 1:

For a local computer, you can simply do it by copying the c:\windows\system32\config\sam file to a temporary one. Once you finished, just copy back.
But you can't do that while Windows is running. So you have to use a Linux CD or to boot from a Windows cd and open a command line.

For the first part, you can do it online with runas system account, or with shadow copy. So this is an easy step.
The last part must be done offline. If anyone find how to do it online, I'll be happy to know how.

Note you can have a problem if you check for password reuse.

The problem is: this don't work with active directory because you don't want to reboot your server in the middle of the day. And if you have several domain controlers, this don't work at all.

Some softwares can do it on the fly. I used one I forgot the name (it has "migration" in its name) and it is overkill for this use. I don't know if it exists anymore and if it works for 7 or 2008. Maybe a lighter software exists, but I don't know one.

Solution 2:

This is a bad idea for a few reasons:

It circumvents the audit trail
When you change a user's password to impersonate them and then change it back. There is a trail that you did it. That gives you deniability and protects you if anything happens with that user's account. It would be really bad policy to allow this trail to be circumvented.

Imagine that an employee is fired for having child pornography. If you have a policy of swapping this hash in and out at will, there is little-to-no way to prove that the employee was the one that did it rather than you. If you were to reset the password, there is a clear log entry about it which will isolate the times that you were logged in as that user.

It's extremely difficult to do
While theoretically possible to do, you have to modify a whole bunch of stuff that would leave your Active Directory in an unsupported state. This is obviously not a good thing to do. Or you can store the passwords in Reversible Encryption, but doing so is a really bad idea.

It reduces communication between you and the users
Part of being good at supporting users is communicating with them. By having to set, and then reset their password when impersonation is absolutely required, you are forced to get in touch with that user and explain what happened and why. It gives more of a sense of trust than just logging in one morning and seeing that things are different.

Related

IIS: missing configuration/properties
What are compelling use cases for having both Chef/Puppet and RightScale/Scalr?
What happens when you reboot an instance store based Amazon EC2 instance?
Disk latency is growing since a few days ago, with no special change in disk throughput
Tomcat- How to check the memory settings currently in use
How do I set the dns search domain in Ubuntu 12.04?
Virtual Audio Cable not working on Windows Server 2008 R2
Force request to miss cache but still store the response
Small WiFi Network In a Noisy Environment
Pound Proxy with multiple SSL Certificates
Converting .cer to .pem?
Linux not interpreting UTF8 encoded characters