Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > Active Directory explorer
Active Directory viewer and explorer
19.10.2017
New blog post
Farewell to Syskey!
11.10.2017
Wireless Password Recovery 4.2.5
Support for NVidia Volta
04.10.2017
Office password recovery tools
Support for new GPU devices, some improvements
22.09.2017
Reset Windows Password v8.0
Support for domain cached credentials, new bootable environment

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - Active Directory Explorer


Active Directory Explorer is a small utility for viewing, analyzing and editing properties (attributes) of domain accounts, both public and private.

In the beginning, select the type of the AD database you are going to work with: local or external.

Selecting Active Directory database



When selecting the external database, specify the path to the NTDS.DIT file and to the SYSTEM registry. The latter is required for decrypting private data. If the automatic decryption is enabled, all the encrypted attributes of an account will be decrypted on the fly. In any case, the editor allows editing both decrypted and raw data.

For safety reasons, the editor mode is available for external databases only!

You should also specify what object you want to display. There are 10 types of domain objects. See the table below.
 

Domain object Description
User object An object of class user. A user object is a security principal object; the principal is a person or service entity running on the computer. The shared secret allows the person or service entity to authenticate itself.
Global domain object Represents a typical domain object that do not conform to other types.
Computer accounts Represents a computer object that is associated with individual client or server machines in an Active Directory domain.
Domain trusts Represents a user object that is used for domain trusts. A trusted domain is a domain that is trusted to make authentication decisions for security principals in that domain.
Alias objects A security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. Aliases can be granted rights and permissions on resources that reside only in the same domain where the domain local group is located.
Aliases which are not used for authorization Represents an alias object that is not used for authorization context generation.
Group objects A database object that represents a collection of user and group objects and has a security identifier (SID) value.
Groups which are not used for authorization Represents a group object that is not used for authorization context generation.
Application-defined groups An application-defined group.
Query groups An application-defined group whose members are determined by the results of a query.

Active Directory database source



Once the data source is selected, move on to selecting accounts. Some Active Directory databases contain tens or even hundreds of thousands of domain records. Reading such large databases and completing the list of users may take some time. Selecting just one record shows brief information on it at the bottom: status, whether a password is set and whether it is expired, account description. Clicking the 'Next >' button launches the process of gathering and decrypting all available attributes for the selected object.
Active Directory user account


Each attribute consists of a name and a value. For example, 'Common-Name' contains the account name, and 'Unicode-Pwd' attribute stores its password hash. For a more detailed description of an attribute, select it on the list and then click on the link that appears on the description field. Double-clicking on the data field opens the selected attribute for editing. When done editing, right-click on the text to open the context menu and then save the changes to the ntds.dit file or discard them.

Active Directory explorer and parser


Here is the description of some account attributes. The complete description is available on the website of Microsoft.

 
Common-Name
The name of the account.
DBCS-Pwd
Contains LAN Manager password of the account.
Unicode-Pwd
The password of the user in Windows NT one-way format (OWF). Note that you cannot derive the clear password back from the OWF form of the password.
Lm-Pwd-History
Contains the password history of the user in LAN Manager one-way function format. The attribute is used for compatibility with LAN Manager 2.x clients, Windows 95, and Windows 98.
Nt-Pwd-History
The password history of the user in Windows NT OWF format.
Primary-Group-ID
Relative identifier (RID) for the primary group of the user. This is Domain Users group, by default.
Bad-Pwd-Count
Contains the number of times the user tried to log on to the account using an incorrect password.
Admin-Count
Indicates that the account is a member of one of the Administrative groups (directly or transitively).
Logon-Hours
The hours that the user is allowed to logon to the domain.
Last-Logon
The last time the user logged on to the account.
Bad-Password-Time
The last time the user attempted to log on to the account with an invalid password. This value is stored as a large 8-byte integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC).
Last-Logon-Timestamp
This is the time that the user last logged into the domain.
Pwd-Last-Set
The date when the password for this account was last changed.
Account-Expires
The date when the account expires. A value of 0 or 0x7FFFFFFFFFFFFFFF indicates that the account never expires.
Supplemental-Credentials
Stores the encrypted version of the user's password. Used in authentication.
User-Account-Control
Flags that control the behavior of the user account. This value can be a combination of one or more of the following values.
0x00000001 Logon script is executed for the account.
0x00000002 The account is disabled.
0x00000008 Home directory is required.
0x00000010 The account is currently locked out.
0x00000020 No password is required.
0x00000040 The user cannot change the password.
0x00000080 The cleartext password is to be persisted
0x00000100 This is an account for users whose primary account is in another domain.
0x00000200 This is a default account type that represents a typical user.
0x00000800 Trust account for a system domain that trusts other domains.
0x00001000 This is a computer account for a computer that is a member of this domain.
0x00002000 This is a computer account for a system backup domain controller that is a member of this domain.
0x00010000 The password for this account will never expire.
0x00020000 This is an MNS logon account.
0x00040000 The user must log on using a smart card.
0x00080000 The account, under which a service runs, is trusted for Kerberos delegation.
0x00100000 The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000 Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000 This account does not require Kerberos pre-authentication for logon.
0x00800000 The user password has expired.
0x01000000 The account is enabled for delegation. Enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
0x04000000 The object is a read-only domain controller (RODC)