🎙️ In this episode, Craig Birch dives into a critical but often overlooked AD misconfiguration: accounts that allow password storage with reversible encryption.
This setting can bypass your domain password policies and expose credentials to plaintext extraction by tools like Mimikatz or DCSync.

🔍 What You’ll Learn:

• Why reversible password encryption is still found in AD environments
• How it allows attackers to dump plaintext passwords
• How to find accounts with this setting using PowerShell
• Steps to remediate and eliminate this risky configuration
• Why this setting defeats complexity, length, and hashing protections

🛠️ PowerShell Spotlight:# Find users with reversible encryption enabled

Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq $true} `

-Properties AllowReversiblePasswordEncryption |

Select-Object Name, SamAccountName

# Optional: Remediate the setting

Set-ADUser username -AllowReversiblePasswordEncryption $false

✅ Use this to eliminate one of the most easily exploitable password risks in AD.

✅ Quick Takeaways:

• Reversible encryption = plaintext storage risk

• Bypasses password complexity and policy protections

• Vulnerable to Mimikatz, DCSync, and backup extraction

• Use PowerShell to quickly find and fix weak accounts

• Audit user provisioning workflows to prevent reintroduction

💬 Like what you heard? Give us a thumbs-up, comment, or drop a topic you’d like covered in 10 minutes or less.

📌 Powered by Guardians of the Directory