🔐

Password Management in Active Directory

Jun 20, 2025

Overview

This lecture discusses central authentication, password management in Active Directory, and proper procedures for handling user password resets and account lockouts.

Central Authentication & Password Hashing

  • Central authentication streamlines password management across multiple machines.
  • Active Directory does not store passwords directly but uses a one-way cryptographic hash.
  • Hashes are irreversible, protecting user passwords from being retrieved.
  • Avoid sharing credentials; unique accounts are crucial for accurate auditing.

Auditing and Security

  • Auditing allows tracking of user actions across IT infrastructure.
  • Shared accounts prevent effective auditing and compromise security.

Password Reset Procedures

  • IT support often assists users who forget passwords.
  • Only reset a password after confirming the requester’s identity according to organizational policy.
  • Use temporary passwords and require users to change them at next login.
  • Never ask users to supply their own temporary password to maintain security.
  • Follow any organizational rules for generating and distributing temporary passwords.

Account Lockouts & Unlocking

  • User accounts are locked after too many failed login attempts, per password policy.
  • Administrators must manually unlock accounts in Active Directory.
  • Unlocking an account and resetting a password can be done simultaneously.
  • PowerShell commands may be used for these administrative tasks.

User Password Changes vs. Admin Resets

  • Users changing their password must provide the old password.
  • Admin resets only require a new password and override the old one.
  • Resetting a password may cause users to lose access to files encrypted with EFS.

Key Terms & Definitions

  • Central Authentication — system that allows users to authenticate across multiple services with a single set of credentials.
  • Cryptographic Hash — a one-way algorithm that converts passwords into a fixed string, not reversible to reveal the original password.
  • Auditing — tracking and analyzing user actions to identify who did what within IT systems.
  • Active Directory (AD) — Microsoft service for network resource authentication and management.
  • Password Policy — rules governing password usage, like lockout thresholds and complexity requirements.
  • EFS (Encrypting File System) — NTFS feature for encrypting files tied to a user's password.

Action Items / Next Steps

  • Review your organization’s policies on password resets and temporary password distribution.
  • Learn the steps to reset and unlock accounts in Active Directory.
  • Prepare to discuss password policies in relation to Group Policy Objects (GPOs).

View note sourcehttps://d3c33hcgiwev3.cloudfront.net/iVLlCuCkRcyoMCnUjywCuQ.processed/full/720p/index.mp4?Expires=1750550400&Signature=GAPRJu~A2jHXKX6~UT5lXZTXS7JR99OTXXN7~LWjc3ZicS4~pVevSEm9Xuhh630mgZnpb0w0FQZcZ2hTAWeZAzCXox6c3Vmnrb6BVNJXs2A1YhgQQIdvgBGYCDFQNzwUDT4kD1g-Vvke0IX-vr46K2h6ol88leg7yVZs~nUn07k_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A