howto set MD4 NT Hash in AD?

G

Guest

Does ANYBODY know how to set the MD4 NT Hash in AD and/or the local SAM??? I
can find and was successful at setting the old DES style password using
NetUserSetInfo - but this does not work for the new MD4 NT hash! It seems
pointless to still offer a way to set the DES password, but not the new "gold
standard" MD4 password...

The reason, in case anyone is wondering, is that I have a need to update AD
as a secondary repository of account information and we can only get the
MD4's not the cleartext password to update.

Any help would be MUCH appreciated.
 
J

Joe Richards [MVP]

You can not do this. From one simple standpoint, it would bypass the security
mechanisms that are in place to enforce password rules.

I think MS realized that allowing the set by hash was a security issue and that
is why you don't have any new mechanisms to do so, the NET* API is legacy for
manipulating AD.

joe
 
G

Guest

I just found the latter part out the hard way after comparing what I set with
the Net style funcs and the pulled from pwdump...

It is a real breaking point for our organization to not be able to import
MD4's - to not even have the option to do it... Basically, the group in the
center of the organization is housing a central portal and feeding (many)
external systems with identity data - including passwords - and they are
unwilling to hand out clear-text passwords...

Thanks for your quick response - any advice would be appreciated,
Michael
 
J

Joe Richards [MVP]

By feeding am I to guess they are sending you text dumps?

Text dumps are not an option, they need to make their provisioning process
smarter and have it use the proper security APIs to send the info. If you have
SSL on your DCs, then they can use LDAP to set the passwords. See
http://support.microsoft.com/Default.aspx?kbid=269190. If not, the kerberos
password change mechanism can be used, and if not that, they will need to use
the Windows specific methods.

You may want to look into third party tools that have already worked this stuff
out of for Windows and other systems such as PSYNCH or MIIS.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

howto set MD4 NT Hash in AD and/or Local SAM 2
Test Driving EFS - couple questions 4
Coordinating MD5 Hash Values for Passwords 7
How to Recover and Reset Password in windows 7/Vista/XP/2003/2K/NT for Free 0
ASP.Net problem with process.start 7
Removed user from one domain and added to another. Notebook is in old domain 2
Restore Built-In Administrator Account 6
ASP.NET Forms Authentication Best Practices 0

Top