I'm configuring a Zentyal box as a gateway. For Proxy authentication i'm trying to synchronize Zentyal with an AD vía LDAP according to Zentyal's documentations http://doc.zentyal.org/en/directory.html#configuring-zentyal-as-a-slave-of-windows-active-directory
The problem is Zentyal only can synchronize a user when it's new or when their password is changed.
Anyone know hoy can i made a massive (fake) password change reading a user password and reset it with the same string? Or there's a way to get all the user passwords to make the resets by hand?
Anyone have an alternative solution for this?
Thanks
Best Answer
I had a paragraph typed up about changing the
pwdLastSetattribute to trick AD into thinking that the password was recently changed..But that's not what you need. What the application seems to need is to have the password changed once a password filter has been installed on the domain controller that will send a copy of the password over to the application.
So - what you're looking for isn't possible. The cryptographic transform used to store an AD password is not reversible; it cannot be retrieved once stored. Tools are available to attack those stored hashes, but they will not reliably retrieve all of your users' passwords (unless they all use weak passwords). The other option is to use the "reversible encryption" mode, which won't do you any good unless it's already enabled.
Your best bet is to install the password filter so that updates are making it to the application, then modify your group policy password settings to have all your users' passwords to expire in the next week or two.