
I have a requirement for one of my clients that they would like all user passwords stored in the Description field of AD.

Now this is all well and good initially because we use a script to roll out new users. However the problem comes because another one of their requirements is to have passwords changed on logon.

So in effect, they'd like a user to logon initally, change their password and have that new password automatically saved into an AD attribute.

The only thing I can think of at the moment is to do this via a logon script, that shows a password change prompt and does the change and logs it into the attribute of that user account then change the logon script to a correct one for everyday use.

Is there any other way of doing this through the built in 'must change password on next logon' setting or am I already looking at the best way of doing this



Alright well, I know it's a bad idea. What i'll end up doing is using a password filter as in one of the answers and just save the passwords outside of active directory and just pass the file on to ICT staff manually

  • 383
  • 1
  • 6
  • 19
  • 2
    Generally speaking, storing user passwords in an unsecured manner is a bad idea, and there are tools for securely storing shared passwords. Is there a reason why they want to store user passwords in a field that anyone can see? – smassey Jan 28 '13 at 04:09
  • I agree it's a bad idea and have told them but they continue to say that's what they want. The whole idea is that it's for a small junior school and if students forget their passwords then the ICT staff can look up the password in AD Users and Computers – Antix Jan 28 '13 at 04:13
  • 3
    This is incredibly stupid. The description field is publicly readable by any user in the domain by default. At least extend the schema and create a new field and restrict access to a specific group. Or better yet, skip that crappy idea, and look for one of the many self-service password reset tools that will permit the user to reset their password on their own. – Zoredache Jan 28 '13 at 04:22
  • 6
    Not only is this a horrible idea security wise, but by implementing this, you're also setting a very bad precedent for the IT staff as well as the students. IT Staff need to know how to operate *without* knowing users' passwords, and users need to be empowered to reset their password on demand if needed. If this were my customer, I would flat out refuse to implement their request, and I'd recommend you do the same. – EEAA Jan 28 '13 at 04:25
  • 1
    In addition to being a horrible idea, this may well be ***ILLEGAL***, especially given that it concerns schoolchildren. At the very least, I'd think that if the media caught wind of this stupidity, there'd be enough backlash that they'd change their minds... and maybe a few morons would have to find more appropriate careers doing menial labor. – HopelessN00b Jan 28 '13 at 07:22

2 Answers2


While I think your idea is insane there are ways to accomplish this. Active Directory permits you to insert a DLL on Domain Controllers that will capture the password provided by a user. You can do any arbitrary action you like within the filter like storing the password.

One example is the Password Filter DLL this DLL captures the password update event and can call eny arbitrary program you like. In the past I had used this to call a python script which would generate an SHA1 password compatible with the Google Apps accounts.

  • 128,755
  • 40
  • 271
  • 413
  • Thank you for the answer, I've made an edit to my question but I'll be going with a solution like this. However I'll store the data externally of AD – Antix Jan 28 '13 at 04:36

AD encrypts the passwords, and I don't think there is a way you can intercept a changed password without either a lot of custom programming or a keylogger. It is possible to store passwords using reversible encryption, but it would require a lot of scripting to detect a change, decrypt it, and then change the AD Description field. For all of the effort that will be put into this, it would just be easier to either have the ICT staff reset the password or give the teachers the rights to reset student passwords.

That said, this is a REALLY BAD IDEA. First, the description field, like all others, can be read by any user who can query AD. Second, this violates almost every password best practice that I've ever seen. Under no circumstances should any user's password be stored in the open like that.

  • 696
  • 5
  • 13
  • Intercepting the password changes isn't really all that hard. – Zoredache Jan 28 '13 at 04:31
  • Oh...you are correct. I never ran across the Password Filter DLL before...most of the systems I deal with are AD integrated so there is no need for that type of functionality. – smassey Jan 28 '13 at 04:40