2003 show user passwords?

[garyb]

Hi,
My MD has decided he needs access to 6 XP workstations on our domain, therefore has asked me for the passwords. Now, I dont really think this is good but he is the MD and I dont wanna know what he wants that access for although I have a pretty good idea!

Is there a simply way for me to "crack" the 6 passwords, there are around 100 user accounts in all so its by no means a large database/SAM to crack. I have suggested I simplky reset the passwords in AD and set it to prompt the users next time they logon but thats not good enough

Anyone have any ideas, have read good posts on here but havent got the 5 days or so to unravel the accounts..

Thanx

[Stoney]

Does he need access to the machines or the actual user accounts?

You could easily elevate his access rights so that he has access to the machines, but I don't know about cracking the passwords for the user accounts. Seems a little unethical to me.............

[Modey]

I think you will have a real tough time cracking the passwords to be honest. The only easy way I could think of off the top of my head would be to put some kind of keylogging software on the PC's in question.

To be honest, you could (and by that I mean your company) find yourselves in legal hotwater over something like this. Unless you have some kind of cast iron disclaimer that all users of your system have to sign before they can acess it.

Data protection act and all that ...

[GiddyG]

Quote:

Originally Posted by Modey

I think you will have a real tough time cracking the passwords to be honest. The only easy way I could think of off the top of my head would be to put some kind of keylogging software on the PC's in question.

To be honest, you could (and by that I mean your company) find yourselves in legal hotwater over something like this. Unless you have some kind of cast iron disclaimer that all users of your system have to sign before they can acess it.

Data protection act and all that ...

I agree... if the company is going to do anything like monitoring/viewing docs or emails then it needs to have advised the employees beforehand in some sort of Acceptable Use Policy that they shouldn't use the company hardware or software for personal/private use and that they will be subject to some sort of checks.

If not, then legally I would think the MD and the company would be in deep water if they were found to be checking up on employees.

And if any data was viewed by the MD with a higher permission level or having gotten the user password, then data obtained in such a way would be inadmissable when being used against the employees in question... unless I have misunderstood what you're trying to say here...

[Bluerinse]

Quote:

Originally Posted by garyb

Is there a simply way for me to "crack" the 6 passwords, there are around 100 user accounts in all so its by no means a large database/SAM to crack. I have suggested I simplky reset the passwords in AD and set it to prompt the users next time they logon but thats not good enough

As you a have a domain environment the user account and password details are not stored locally on the clients. They are encrypted and stored in the active directory database on domain controllers. This is much more secure than a local SAM.

I personally would do some research on the legality of circumventing this.. it probably is possible but it is most likely infringing the privacy rights of the employees.

[Boyce]

you don't mention why the md wants the passwords, but i suspect they would like to see what certain users are up to?

there is a legitmate way of doing this;

* make users aware that the equipment they use is company property, subject to auditing and for company use only (if not already in place)
* activate auditing
* check isa, ad and exchange logs
*most places have "my doc's" GPO'd as exclusive - this can be turned off
* educate your users. if people are aware what can be tracked/monitored, some problems have a habit of stopping.

[JohnBradbury]

Recovering Windows XP Passwords

Easy and quick

If you want to recover passwords from within AD I woul say the simplest option would be a keylogger as suggested.

UPDATED

Of course you could take a backup, reset the passwords to gain access out of hours then do a restore from the backup. This is by no means the easy option.

[Sparky]

Quote:

Originally Posted by garyb

Hi,
My MD has decided he needs access to 6 XP workstations on our domain, therefore has asked me for the passwords.

What does he need access to though? Just make him a domain admin and map a drive to \\<computer\c$ and then he can browse to the My Docs of that user if required.

For email if you are running Exchange then goto https:\\<exchange server\exchange\<user account> and then you can log onto the users mailbox by using your own credentials.

[garyb]

Thanx to all who helped, as I said originally I really dont want to know what his motives are !! I have simply suggested he asks his board team for their passwords, then he can explain to them why, which he has done..

Cheers

[newkoba]

if you did want to crack the passwords it shouldn't be terribly difficult. if you are a domain admin then just download ophcrack with the largest downloadable hash file available (you'll see the options during install) and run the program against a domain controller. it'll pull the sam file and start cracking if you have a server that isn't in use or even one that just isn't a taxed box you can run it on that and crack them ridiculously quick. i cracked about 65k passwords here at work in 3 days.