From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx> on behalf of Nidhin CK <nidhinck@xxxxxxxxxxxxxxxx>
Sent: Tuesday, November 12, 2019 10:56 AM
To: ActiveDir@xxxxxxxxxxxxxxxx <ActiveDir@xxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] unicodePwd attribute value via Powershell
>From the tweet, it is clear that we need to check the metadata of the user object to compare the values of unicodePwd attribute with pwdlastset attribute. I was looking for a way to get these details without using repadmin showmetadata. Looks like it is not
possible. I will follow the repadmin /showmeta methord
Regards,
Nidhin.KC
From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx> on behalf of Jorge de Almeida Pinto <jorge@xxxxxxxxxxxxxxxx>
Sent: Tuesday, November 12, 2019 1:46 AM
To: ActiveDir@xxxxxxxxxxxxxxxx <ActiveDir@xxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] unicodePwd attribute value via Powershell
To see if the user is changing/resetting (sspr) the password, check the pwdLastset attribute
Regular users do not have the permissions to check “change pwd at next logon”
For 100% certainty check the metadata of the unicodepwd attribute on the obect
Met Vriendelijke Groeten / Cumprimentos / Kind Regards,
Jorge de Almeida Pinto
MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCT
MVP Profile |
Blog |
Facebook |
Twitter
From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx>
On Behalf Of Joe Kaplan
Sent: Monday, November 11, 2019 21:10
To: activedir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] unicodePwd attribute value via Powershell
I'm pretty certain that if you set pwdLastSet to -1, it will change set the actual value of the attribute to "now" which will also make it appear as if the password was changed when it wasn't. Once again, you need permissions to do this. It is a slightly different
way to do this than the method Sean described in his post.
Joe K.
On Mon, Nov 11, 2019 at 1:03 PM Brian Desmond <
brian@xxxxxxxxxxxxxxxx> wrote:
Look at the replication metadata for the attribute.
Unless you delegate a service account owner the rights to write to pwdLastSet, what’s in the tweet doesn’t apply here…
Thanks,
Brian
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx <
ActiveDir-owner@xxxxxxxxxxxxxxxx>
On Behalf Of Nidhin CK
Sent: Monday, November 11, 2019 11:57 AM
To:
ActiveDir@xxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] unicodePwd attribute value via Powershell
Thanks, Brian. I understand that this attribute holds the PWD info. But is there any way to get the last modified time of this attribute. The goal is to find if service account owners are really updating the password
or just updating the pwdlastset attribute value.
Regards,
Nidhin.CK
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx <
ActiveDir-owner@xxxxxxxxxxxxxxxx> on behalf of Brian Desmond <
brian@xxxxxxxxxxxxxxxx>
Sent: Monday, November 11, 2019 9:12 PM
To:
ActiveDir@xxxxxxxxxxxxxxxx <
ActiveDir@xxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] unicodePwd attribute value via Powershell
It’s only accessible via the APIs that DCs use to replicate with each other. Even then, the value is stored as a one-way hash.
Thanks,
Brian
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx <
ActiveDir-owner@xxxxxxxxxxxxxxxx>
On Behalf Of Nidhin CK
Sent: Monday, November 11, 2019 3:59 AM
To:
activedir@xxxxxxxxxxxxxxxxSubject: [ActiveDir] unicodePwd attribute value via Powershell
Hi,
Is there any way to get the value of the unicodePwd attribute via Powershell. I tried the below script. but it does not pull the value.
$properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain | `Select-Object @{name="Properties";expression={$.maycontain+$.systemmaycontain}} | Select-Object -ExpandProperty PropertiesGet-ADUser -Identity username -Properties $properties | fl $properties
I can get these details from below cmdlet. But I'm trying to get details via AD cmdlets
$userdn = "UserFQDN"
repadmin /showmeta $userdn | Select-String unicodepwd,pwdlastset
Thanks,
Nidhin.CK