Re: Need to read "Store password in reversible encryption for all users in the domain"

Thanks for your response -

I always avoid the LDAP provider like the plague. In this case, I want to
be able to check this on standalone servers that are not members of domains,
as well as servers in domains. Your doc
http://www.rlmueller.net/WinNT_LDAP.htm suggests that one can't use the LDAP
provider on a server who isn't in a domain - because the local SAM isn't
LDAP compliant. Is that correct? If so, it may mean I am hosed in this
case.

Even worse, for LDAP-phobes, this attribute may not even be available using
the WinNT provider, though I haven't researched this.

What do you think?

Regards -

"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:uCjRKwS%23GHA.4428@xxxxxxxxxxxxxxxxxxxxxxx
Raymond Vought wrote:

Does anybody know how to return the "Store password in reversible
encryption for all users in the domain" setting on the local security
password policy setting?

The resultant will do, whether it is set locally or by domain policy.

A bit of the userAccountControl attribute of the user object controls
this. As far as I know, the setting can be different for different users.
A VBScript program to check a specified user:
==================
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80

Set objUser = GetObject("LDAP://cn=Jim User,ou=Sales,dc=MyDomain,dc=com")
lngFlags = objUser.userAccountControl
If (lngFlags AND ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED) <> 0 Then
Wscript.Echo "Store password using reversible encryption set"
Else
Wscript.Echo "Store password using reversible encryption NOT set"
End If
==============
To retrieve all users where this is set, use the following filter:

(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=128))



To retrieve all users where this is NOT set, use:



(&(objectCategory=person)(objectClass=user)" _

& "(!userAccountControl:1.2.840.113556.1.4.803:=128))



You can use these filters in ADUC. Or, see this link for using ADO to
retrieve info on users, which explains how to use these filters:



http://www.rlmueller.net/ADOSearchTips.htm


--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net




.

Relevant Pages

  • Re: ISPs can easily decrease net abuse
    ... servers" AUPs are the rule on cable systems, ... With the current provider I have full support for forward ... small, flexible ISP, and all it took was a very brief ... "residential" accounts, ...
    (comp.security.misc)
  • Re: Antivirus in FC3?
    ... > export the home directories to all the servers and do network ... Most already have Windows boxes ... OK well - one size fits all LDAP just isn't gonna cover all this - nor ... but IDEALX scripts provide the absolute minimum necessary beyond what ...
    (Fedora)
  • Re: Dump of user accounts
    ... Both are LDAP servers and both support LDIFDE.exe, ... you can omit the attributes from the ... the command will run using the credentials of the ...
    (microsoft.public.win2000.active_directory)
  • Re: Anybody using a "real" Linux domain?
    ... >> servers and a coupla of windows 200x servers. ... >> claim that a windows license is only good for the machine that ... >> We have been gradually installing Linux in areas where a single ... I have been researching domains using SMB, LDAP, ...
    (comp.os.linux.networking)
  • Re: Anybody using a "real" Linux domain?
    ... >> servers and a coupla of windows 200x servers. ... >> claim that a windows license is only good for the machine that ... >> We have been gradually installing Linux in areas where a single ... I have been researching domains using SMB, LDAP, ...
    (comp.os.linux.misc)