Password of managed local admin account

Viewing password settings in Active Directory Users and Computers

Once everything is configured, and Group Policy has refreshed on the clients, you can look at the properties of the computer object and see the new settings. The password can be stored encrypted or unencrypted. Encrypted passwords contain a keyID prefix.

Example: Plain text Password as stored in AD

Example: Encrypted Password stored in AD and enrypted by key with ID = 4

Using Fat Client UI

Fat Client UI is a graphical interface available (Fat Client) that can be installed standalone, in a network share or as an add-in to Active Directory Users and Computers. You can find it in Start screen / menu:

What happens if a user who hasn’t been granted rights to see the local Administrators password tries to access it? If they were to gain access to the GUI interface the password won’t be displayed.  They are also given an Access Denied message.

Note: If they have installed the RSAT tools and run Active Directory Users and Computers (ADUC) to view the password it will show as .

Note: Even for users with permissions to read the content of the attribute ms-MCS-AdmPwd (event members of Domain Admins) it is not possible to know the passowrd directly in AD as long as password is stored encrypted - They can only see encrypted value for password rather than actual password. This is a great advantage compared to Microsoft LAPS: Password encryption significantly decreases the chance for password leak due to permission misconfigurations.

This information is not seen because only the Decryption Service can read the password. Membership in the Password Readers group tells the service that it is allowed to reveal the password to the user.

Password Expiration Time

The Expiration time is stored as the number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 until the date/time that is being stored. The time is always stored in Greenwich Mean Time (GMT) in the Active Directory.

If you want to manually convert it use this command:

w32tm /ntte <number you want to convert>

Retrieving passwords with PowerShell

You can also get the password using PowerShell. You may need to run Import-module AdmPwd.PS if this is a new window.

This command retrieves password for a computer and shows password history:

Get-AdmPwdPassword -ComputerName <computername> -IncludeHistory | select -expand PasswordHistory

Passwords can also be retrieved from deleted computer accounts:

Get-AdmPwdPassword -ComputerName <computername> -IsDeleted

Note: Retrieval of password from deleted computer object can only currently be done through PowerShell.