Question
Some customers would like to know how the user password is stored in Active Directory and how to view and modify it.
Answer
The users' password hash is stored in the Active Directory on a user object in the unicodePwd attribute. Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.
This unicodePwd attribute can be written under restricted conditions, but it cannot be read due to security reasons. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.
More Information
How To Change a Windows 2000 User's Password Through LDAP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190
How to set a user's password with Ldifde
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263991
Should you worry about password cracking?
http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx
How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
http://support.microsoft.com/kb/299656
Applies to
Windows Server 2003/R2, Windows Server 2008/R2