Active Directory User Password

Question

Dears,

Is it possible for a user possessing domain admin privileges within an Active Directory setup on a Windows Server 2012R2 can acquire another AD user's password using various tools without the need to a password reset. We've had a debate about this at work and are curious to know the definitive answer.

Answer 1

Hello Ali,

No, it is not possible for a user with domain admin privileges to acquire another AD user's password without resetting it. This is because passwords are stored in a hashed format in Active Directory, which means they cannot be retrieved in their original form. The only way to access a user's password is by resetting it, which requires the user to create a new password. It is important to note that attempting to access another user's password without their consent or a legitimate reason is a violation of security policies.

Hope this helps.

Thanks,

Answer 2

even if the user used any of the tools ?

Answer 3

If your debate at work is about the technical possibility of domain administrators using tools to retrieve the actual original password of a user, then the answer is no – domain administrators cannot retrieve the original password of a user. They can only reset it to a new value.

Thanks,

Answer 4

Thank you alot for clarifying

Answer 5

Hello Ali ElHusseiny,

Thank you for posting in Microsoft Community forum.

Hope the information provided by Mr. Trust_A is helpful.

Here is a similar thread from other forum for your reference.

Can an administrator of a Windows domain see a user's password? - Super User

If you have any question or concern, please feel free to let us know.

Have a nice day!

Best Regards,
Daisy Zhou