NLTEST Flags – what does 0x20000 mean?

Requires NetTools 1.29.31 beta or later

When running NLTEST /DSGETDC command against a domain controller that is Windows 2012R2 or later, the command will display the normal flags plus an extra flag called '0x20000', but what does the 0x20000 flag mean.  First of all it's not an error code, Microsoft have added an additional feature to Windows 2012R2 and later DCs, but NLTEST hasn't been updated to display this flag correctly, even the Windows 2019 version doesn't have this flag defined.

The results deplayed by NLTEST /DSGETDC is the information returned by the DsGetDcName API, this information if defined in the DOMAIN_CONTROLLER_INFO structure.

LPSTR DomainControllerName;
LPSTR DomainControllerAddress;
ULONG DomainControllerAddressType;
GUID DomainGuid;
LPSTR DomainName;
LPSTR DnsForestName;
ULONG Flags;
LPSTR DcSiteName;
LPSTR ClientSiteName;

The Flags member has the following definitions in the dsgetdc.h file

#define DS_PDC_FLAG 0x00000001 // DC is PDC of Domain
#define DS_GC_FLAG 0x00000004 // DC is a GC of forest
#define DS_LDAP_FLAG 0x00000008 // Server supports an LDAP server
#define DS_DS_FLAG 0x00000010 // DC supports a DS and is a Domain Controller
#define DS_KDC_FLAG 0x00000020 // DC is running KDC service
#define DS_TIMESERV_FLAG 0x00000040 // DC is running time service
#define DS_CLOSEST_FLAG 0x00000080 // DC is in closest site to client
#define DS_WRITABLE_FLAG 0x00000100 // DC has a writable DS
#define DS_GOOD_TIMESERV_FLAG 0x00000200 // DC is running time service (and has clock hardware)
#define DS_NDNC_FLAG 0x00000400 // DomainName is non-domain NC serviced by the LDAP server
#define DS_SELECT_SECRET_DOMAIN_6_FLAG 0x00000800 // DC has some secrets
#define DS_FULL_SECRET_DOMAIN_6_FLAG 0x00001000 // DC has all secrets
#define DS_WS_FLAG 0x00002000 // DC is running web service
#define DS_DS_8_FLAG 0x00004000 // DC is running Win8 or later
#define DS_DS_9_FLAG 0x00008000 // DC is running Win8.1 or later
#define DS_DS_10_FLAG 0x00010000 // DC is running WinThreshold or later
#define DS_KEY_LIST_FLAG 0X00020000 // DC supports key list requests
#define DS_PING_FLAGS 0x000FFFFF // Flags returned on ping
#define DS_DNS_CONTROLLER_FLAG 0x20000000 // DomainControllerName is a DNS name
#define DS_DNS_DOMAIN_FLAG 0x40000000 // DomainName is a DNS name
#define DS_DNS_FOREST_FLAG 0x80000000 // DnsForestName is a DNS name

As you can see 0x20000 is defined in the include file as support for Key List Requests, see the Kerberos Protocol Extension [MS-KILE] section 2.2.11 for more info.  NetTools includes this decode and the result from the same server shows the option for Key List Request are supported.

HowTo: Using Search Stats OID 1.2.840.113556.1.4.970

Active Directory and LDS provide a server side control when added to query will provides statistics on the efficiency of the query that was executed, the specific control is OID 1.2.840.113556.1.4.970 - LDAP_SERVER_GET_STATS_OID and the details can be found here.

The NetTools LDAP Search option provides a simple checkbox option to enable this server side control to be added to queries.  The option is found Server Side Controls section, called Search Statistics.  When the query is run and the user has the appropriate permissions the search statistics will be returned.

When the query is executed the Statistics are displayed in the output panel after the results of the query.  Below are the statistics returned by Windows 2016 server.

Version of the operating system running on the server, will determine the statistics that will be returned.  As Windows evolved the level details returned by the server has also increased.  Windows 2000 only provided 4 different statistics, Windows 2003 increased this to 6, and for Windows 2008 this increased to 15 and it also introduced a new format which provides more details but the fields are dynamic, rather than the older static fields.

NetTools detects the Domain Controller Functional level of the server and automatically adjust the control parameters to select the highest level of detail available for the server.

The table below shows which statistics level are returned by each version of Windows

2000 2003/R2 2008/R2 2012/R2 2016 2019
StatsResponseValueV1 x
StatsResponseValueV2 x
StatsResponseValueV3 x x x x
StatsResponseValueV4 x x x x

The details for each set of Stats can be found below.  

While NetTools will automatically select the stats level based on the domain controller functional level, it is possible to manually specify the required stats level using the Server Side Controls dialog.  To do this, first uncheck the Search Statistics option, then click on the Controls button in the Server Side Control section and add a control as shown below, the Value to 1 for the corrsponding V1,V2, or V3 supported by the server or a Value of 5 for the V4 stats.

These are the Statistics returned by a Windows 2019 server with the Value set to 1:

Search Stats:
  Thread Count: 1
  Call Time (ms): 0
  Entries Returned: 3
  Entries Visited: 4
  Filter: ( & (objectClass=user) (name=gary*) ) 
  Index: idx_name:4:N;
  Pages Referenced: 126
  Pages Read: 0
  Pages Pre-Read: 0
  Clean Pages Modified: 0
  Dirty Pages Modified: 0
  Log Records Generated: 0
  Log Records Bytes Generated: 0

These are the Statistics returned by the same query, with the Value set to 5

Search Stats:
  Thread count: 1
  Call time (in ms): 0
  Entries Returned: 0
  Entries Visited: 0
  Used Filter: ( & (objectClass=user) (name=gary*) ) 
  Used Indexes: idx_name:4:N;
  Pages Referenced: 27
  Pages Read From Disk: 0
  Pages Pre-read From Disk: 0
  Clean Pages Modified: 0
  Dirty Pages Modified: 0
  Log Records Generated: 0
  Log Record Bytes Generated: 0
  Indices required to optimize: 
  Query optimizer state: ( & (objectClass=user:878204) (name=gary*:4) ) 
  Atq Delay: 0
  CPU Time: 0
  Search Signature: b4cce897-7577-b624-5d18-2f5a9e90754f
  Memory Usage: 26744
  JET LV Read: 0
  JET LV Created: 0
  Total call time (in ms): 0
  Total CPU time: 0
  Number of retries: 0
  Correlation ID: e2a4641a-0714-44cc-b1bf-a0b0ca8e055c
  Links Added: 0
  Links Deleted: 0

These are the various Stats data lists:

StatsResponseValueV1 ::= SEQUENCE {
  threadCountTag            INTEGER
  threadCount               INTEGER
  coreTimeTag               INTEGER
  coreTime                  INTEGER
  callTimeTag               INTEGER
  callTime                  INTEGER
  searchSubOperationsTag    INTEGER
  searchSubOperations       INTEGER
StatsResponseValueV2 ::= SEQUENCE {
  threadCountTag        INTEGER
  threadCount           INTEGER
  callTimeTag           INTEGER
  callTime              INTEGER
  entriesReturnedTag    INTEGER
  entriesReturned       INTEGER
  entriesVisitedTag     INTEGER
  entriesVisited        INTEGER
  filterTag             INTEGER
  filter                OCTET STRING
  indexTag              INTEGER
  index                 OCTET STRING

StatsResponseValueV3 ::= SEQUENCE {
  threadCountTag INTEGER
  threadCount INTEGER
  callTimeTag INTEGER
  callTime INTEGER
  entriesReturnedTag INTEGER
  entriesReturned INTEGER
  entriesVisitedTag INTEGER
  entriesVisited INTEGER
  filterTag INTEGER
  indexTag INTEGER
  pagesReferencedTag INTEGER
  pagesReferenced INTEGER
  pagesReadTag INTEGER
  pagesRead INTEGER
  pagesPrereadTag INTEGER
  pagesPreread INTEGER
  pagesDirtiedTag INTEGER
  pagesDirtied INTEGER
  pagesRedirtiedTag INTEGER
  pagesRedirtied INTEGER
  logRecordCountTag INTEGER
  logRecordCount INTEGER
  logRecordBytesTag INTEGER
  logRecordBytes INTEGER
StatsResponseValueV4 ::= SEQUENCE OF SEQUENCE {
      statisticName         OCTET STRING
      CHOICE {
         intStatistic [0]       INTEGER
         stringStatistic [1]    OCTET STRING

Process Flow for LDAP Search

This is a quick article that shows the process flow of the LDAP Search feature.  The LDAP Search function consists of a number of functions that are used to execute the query and display the results.  The main function is used to collect and validate the user inputs and connect to the server and execute the query, then a sub function is used to display the results and complete any attribute updates.  The process shown below starts when the user presses the Go button to execute the query.

HowTo: Display what members were removed from a group

Features shown are only available in NetTools v1.29.11 or later

In this post we look at how to show which members, i.e. users, computers, groups etc, have been removed from a group.  Within NetTools this is a simple task using the AD Properties dialog, the Members tab shows, the current members of the group but also which objects have been removed and when, as shown in the screenshot below.

To understand how NetTools is able to display this information, we need to look at the msDS-ReplValueMetaData attribute for the group. This attribute contains the details of the metadata for each value of an attribute for the object. We can view the details of the attribute in the Meta Data dialog, which can be opened from the AD Properties dialog using the Meta Data button or from the various context menus within Nettools.

Here is the Meta Data dialog for the same group shown above, the top section of the dialog shows the details of the msDS-ReplAttributeMetaData attribute used to store the replication details for the attributes of the object, the lower section shows the meta data details from the msDS-ReplValueMetaData attribute showing the replicated values for attributes that have Object (DN-DN) data types, i.e. member.

In this example you can see the list of changes that have be made to the member’s attribute of the object, each change to the member attribute is listed as a separate line, the line includes a Originated, Create and Delete time columns.  The Create and Delete columns are used to record when an item was added or removed from the attribute.  When an item is added, only the created time is populated, and then when the item is subsequentially removed both the create and delete times are set. The created time still exists to ensure that the AD replication is consistent.  NetTools AD Properties dialog will enumerate the msDS-ReplValueMetaData entries and display the entries that have the deleted time set in the Removals section of the Member tab.

Also See:
NetTools Basics
NetTools AD Properties Dialog
How Group Changes Works

How to decode LogonHours Attribute

In this post we look at the LogonHours attribute, which is used to restrict when a user is allowed to logon, and how to decode this attribute.

The LogonHours attribute has a octet data type that is used to store a 21 byte value which defines when a user is allowed to logon, outside of these hours the user will receive the following error message when they try to logon:

This may be seen as one of the following errors:

Error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced

Error 1328: Your account has time restrictions that keep you from signing in right now.

The LogonHours attribute is used to define when a user is permitted to log on, it uses the 21 byte data structure to represent the day’s of the week.  It uses three bytes to represent each day of the week. The three bytes represent the hours of the day, the diagram below shows the mapping of the bytes to days and hours.

The user's permitted logon hours are displayed in the properties of the user in Active Directory User and Computers under the Account tab. 

One of the challenges with decoding the LogonHours attribute is that the data is saved based on UTC, as shown in the mapping above, however, Active Directory Users and Computers will display the details based on the local time zone of the computer running ADUC, and will adjust the times based on the time zone offset.   Below we can see that the left hand picture shows the Logon Hours on a computer with the time zone set to UTC, while the right shows the same details but the computer has a time zone set to Melbourne (UTC+10).

The time zone of the Domain Controller, which authenticates the user will be used to determine, if they can log on, or not.

This is the value of the attribute based on the permitted logon hours of Monday to Friday 6am to 7pm on a machine with time zone set to UTC, as shown in the left picture above.

DN> CN=Teena Lee,OU=Domain Users,DC=w2k12,DC=local
> logonHours: 00 00 00 C0 FF 03 C0 FF 03 C0 FF 03 C0 FF 03 C0 FF 03 00 00 00

We can see that this aligns with the mapping above, with the Sunday and Saturday bytes set to zeros. Next, this is the value set for the same time window on a machine with the time zone set to Melbourne (UTC+10)

DN> CN=Teena Lee,OU=Domain Users,DC=w2k12,DC=local
> logonHours: 00 00 F0 FF 01 F0 FF 01 F0 FF 01 F0 FF 01 F0 FF 01 00 00 00 00

The Sunday bytes now have values set, as the time was adjusted by -10 hours before it was saved. Next, this is the value set for the same time window on a machine with the time zone set to Pacific Time (UTC-10)

DN> CN=Teena Lee,OU=Domain Users,DC=w2k12,DC=local
> logonHours (BIN): 00 00 00 00 C0 FF 07 C0 FF 07 C0 FF 07 C0 FF 07 C0 FF 07 00 00 

With this one, the hours data is now written into the Saturday bytes due to the UTC-10 offset.

The LogonHours functionality is limited to a single time zone, and can potentially cause logon issues, if a user travels, or authenticates to a Domain Controller which has a different time zone set.

The AD Properties dialog in NetTools (Version 1.29.7 beta and above) has a Restrictions tab which displays the Logon Hours, by default it will use the local time zone to display this information, however, there is an option to allow you to manually adjust the time zone to see the impact the user's ability to logon.

Below is the code used to display the LogonHours in NetTools, the function is called for each square in the grid, the ACol and ARow defining the square that is being queried, the function will colour the square blue, if the LogonHour is set.  The function also automatically adjusts the LogonHours based on the local or user selected time zone.

void dgHoursDrawCell(TObject *Sender, int ACol, int ARow, TRect &Rect, TGridDrawState State)
int Index, Col,Row, Mask;
int Val, Bias;

   // use Col and Row to reflect tz offset
   Col = ACol;
   Row = ARow;

   // change start of week to Monday
   if (Row==6){
      Row = 0;
   } else {

   if (chkLocalTime->Checked){
      Bias = tz.Bias/60;  // get local time zone, tz populated when form is loaded
   } else {
      try {
          Bias = StrToInt(cmbTZOffset->Text);  // get user selection
          Bias = 0;

   Col += Bias;  // add time zone offset

   if (Col > 23) {  // rap pointer to start of next day
      Col -= 24;

   if (Col < 0) {  // rap pointer to end of the previous day
      Col += 24;

   if (Row > 6) Row = 0; // rap pointer to valid data
   if (Row < 0) Row = 6;

   if (Col >=0 && Col <=7) Index=0;  // select the correct hours offset bytes
   if (Col >=8 && Col <=15) Index=1;
   if (Col >=16 && Col <=23) Index=2;

   Index += (3 * Row);  // get correct byte
   Mask = 0x1 << (Col % 8);  // create bit mask for hour based on col number

   Val = HourBuffer[Index] & Mask;  // apply mask to check if set

   if (Val){  // Val is non zero set square to blue
       dgHours->Canvas->Brush->Color = clBlue;
   } else {
       dgHours->Canvas->Brush->Color = clWhite;

   dgHours->Canvas->FillRect(Rect);  // draw the square



HowTo Dump the Active Directory Database

Sometimes when troubleshooting it could be useful to dump the contents of the AD database, this can then be used to confirm an object exists, or to retrieve the DNT of an object, which will enable other troubleshooting activities, or just being a bit geeky and wanting to look under the hood.

In this post we will be looking at the RootDSE Modify Operations.  There are a number of RootDSE Modify Operations that are available which provide advanced operations on the domain controllers.  The full list of available modifiers is available here.

We will be looking at the DumpDatabase operator which allows us to dump the contents of the AD to a single text file.  The dump file will be written to the NTDS folder on the domain controller.  By default this is %systemroot%\NTDS with the file name of NTDS.dmp.

Note: as this is going to dump every object in the AD database, make sure you have sufficient space available on the volume hosting the NTDS directory on the selected domain controller before running this query.

By default the dump file contains the following fields:


We can also specify additional attributes to be included in the dump file, however some security sensitive fields can't be included i.e. passwords.  We are going to use one of the NetTools predefined queries to complete this task.  This task can be completed on the domain controller itself or executed remotely, you just need domain admin rights on the domain controller to run the query. 

In NetTools select the LDAP Search option in the left hand pane under the LDAP section

As the AD database dump query is an update query we need to complete a few extra steps to run the query:

      1. Click on the Populate button
      2. Select the AD: RootDSE Modify - Dump Database from the list of Favorites
      3. Click on the More button to display the more options
      4. Uncheck the Preview option
      5. Click Go
      6. Confirm that you want to run the query

Once the query is complete the ntds.dmp will be created in the NTDS directory on the domain controller specified in the Server field. The query is configured to include the description and cn attributes in the dump file, you can specify additional attributes if required, the entry in the speech marks on the Attributes field needs to be updated with a space-separated list of attributes.  If a security sensitive attribute is specified the dump file will contain an error message that the attribute was not found.   

One of the limitations of the database dump, is that it will limit the number of characters that are returned per field, so if you are trying to dump the contents of a long binary field i.e. NTSecurityDescriptor the field will be truncated.

Here is a sample of the database dump: 

Invalid characters for Office365 Sync

Office365 specifies a number of characters that can't be includes in a number of key attributes. These invalid characters vary depending on the attribute, for a full list of invalid characters in each attribute see this Microsoft article.

NetTools includes a predefined query that will show which user objects contain these invalid characters. The query is called Users: Invalid characters for O365, which is available in the LDAP Search option. These are the attributes that are included in the search

        • givenName
        • sn
        • mailNickname
        • proxyAddresses
        • UserPrincipalName 
        • mail

To run the query first select the LDAP Search Option in the left hand pane, then click on the Populate button, shown in the red square below, to connect to the AD and populate the Base DN field.


Once the Populate has finished, select the Users: Invalid characters for O365 query from the Favorites dropdown list. If required, change the BaseDN field to limit the scope of the search and then click Go.  A list of all the user objects that contain invalid characters will be displayed.

The query uses the Regex Display filter option to only display the user objects that have invalid characters.  Here are the the query properties:

[Users: Invalid characters for O365]
Attributes=userPrincipalName, proxyAddresses;SMTP, givenName, sn,displayName,mailNickname, mail
DisplayFilter=userPrincipalName regx [\"|,/:<>+=;?*'] || givenName regx [\"|,/:<>+=;?*'] || sn regx [\"|,/:<>+=;?*'] || mailNickname regx [\"|,/:<>+=;?*'] || mail regx [\"|,/:<>+=;?*'] || proxyaddresses regx [\"|,/:<>+=;?*']

For more information on the available queries see Redefined LDAP Queries  
For details on the favorites option see Favorites

HowTo: Retrieve BitLocker Passwords

If you have configured BitLocker to store the recovery keys in AD, you can use NetTools to retrieve the BitLocker Recovery Key.  With NetTools the process to retrieve the recovery key is really simple.

Select the User - Search option in the left hand pane and make sure that the Return Users Only is deselected, and then complete the following steps:

      1. Enter the name of the computer  
      2. Click Go
      3. Open the AD Properties for the computer

Select the BitLocker tab

Select the Recovery Key ID that is displayed on the BitLocker Recovery screen

Note: the BitLocker tab will only be displayed if msFVE-RecoveryInformation object exist on the computer object and you have the rights to read the object 

NetTools v1.29.0


Sessions *** New ***
A new option to display the existing logon sessions on the machines, and the ability to display what processes are associated to a logon session.

NetTools now includes over 280 predefined LDAP queries
Finally removed the default icon and added a new one
Added the option to add selected item to Resolver on the context menu

ACL Browser
Updated to include the Modify owner rights in the ACE pane
Updated flags view to display additional tag for each of the the various SD flags and flag values
Added context menu to copy the SD to clipboard in SDDL format

AD Properties Dialog
Updated to include the msExchRemoteRecipentType on the Exchange tab
Added capability to manage group membership of the member and memberof attributes
Updated TokenGroup tab to display the source SID rather than 'Error' if the SID can't be resolved
Added sMGS tab to display details associated to Group Managed Service Accounts, with the option to display and copy the current and previous passwords
Updated icons for Managed Service Accounts and Group Managed Service Accounts
Added BitLocker tab to display BitLocker recovery keys

Attribute Dialog
Added context menu to display the Attribute Value dialog with and without attribute Decode
Added context menu to allow the value to displayed in Hex Dump
Added context menu to display the schema definition of an attribute

Added a manual flag option, so you can specify the actual flags sent to server

Updated the Clipboard option to display the different data type available in the clipboard and the ability to display the data associated to each clipboard data type
Included the option to display a hex dump of the clipboard data

Connection Profiles
Updated AD Properties and Attributes dialog and Top Quotes to work correctly with Connection Profiles
Updated the Server tab to enable the global catalog to be specified, used specifically for the User Search, AD Properties dialog and the LDAP Search Use GC option
Fixed bug with Anonymous authentication type
Fixed intermittent issues causing the credentials dialog not being drawn correctly
Fixed bug where profile details were not displayed for the selected profile, if prompted to save unsaved changes

GPO Explorer
Updated to include WMI Filters and AD Sites
WMI Filter name now displayed on GPO allocation screens
Updated the XML parse for GPO Preferences to improve the displaying of settings
Added additional validation for preference so only items that have an XML file are shown as having settings

LDAP Browser
Added context menu to allow the DN of objects to be copied to the clipboard

Added a manual flag option, so you can specify the actual flags sent to server

LDAP Search
Fixed bug in Input Mode, where an exception could be caused if a row of input data is missing a column item
Added the option to add additional user specified server side controls
Updated to include Use GC option to use the GC server settings in the Connection Profile
Updated date substitutes to include StartofDay, EndofDay, StartofUTCDay, and EndofUTCDay constants, StartofDay and EndofDay returns times based on local time, while StartofUTCDay and endofUTCDay return time based on the UTC e.g. (&(whencreated>={zdate:startofday})(whencreated<={zdate:endofday})) or  (&(whencreated>={zdate:StartofUTCDay})(whencreated<={zdate:EndofUTCDay}))
Added new substitutes getdn, which will return the DN for the samaccountname provided as the parameter e.g. {getdn:domain admins}, {getdn:guests}, {getdn:user1}
Substitutions now available on the BaseDN field
Added addition DecodeTypes SD_DACL_COUNT and SD_SACL_COUNT returns the total number of ACE in the DACL or SACL. SD_DACL_EXPCOUNT and SD_SACL_EXPCOUNT returns the number of explicitly or no-inherited ACE in the ACL
Added additional DecodeTypes for Group Managed Service Accounts GMSAPWD, GMSAPWD.PWD, GMSAPWD.PPWD, GMSAPWD.QRY, GMSAPWD.UCG
Added additional DecodeTypes for RootKey - KDSPARAM
Added addtional DecodeType to WMI Time and date WMITIME and WMITIME_UTC
Updated LDAP Filter wizard to supported nested subst command and fixed formatting issues if brackets are included in the subst
Fixed bug in attribute update using escaped binary format
Change the priority order of the user defined DecodeType, so user defined settings take precedence
Added support for the use of environment variables in the filter and attribute fields i.e. (samaccountname=%username%)
Updated the auto complete feature to work with meta attributes and environment variables
Added the following static Decodes: 

msDS-ManagedPasswordId - GMSAPWDID
msKds-KDFParam  - BINARY
msKds-SecretAgreementParam - BIN
msKds-SecretAgreementParam - BIN
msKds-RootKeyData - BIN
crossCertificatePair - CERT
msds-ManagedPassword - GMSAPWD
msKds-CreateTime - 64TIME
msKds-UseStartTime - 64TIME
msDS-RequiredForestBehaviorVersion - ATTRIBENUM
msDS-RequireddomainBehaviorVersion - ATTRIBENUM
msWMICreationDate - WMITIME
msWMIChangeDate - WMITIME

Added a new tab to display the statistics associated to the access token

Object Compare
Fixed intermittent exception error, caused if the left object is deleted or moved between scans

The Resolver option has been updated to support user defined columns to allow additional attributes to be displayed
Updated to include a search of the proxyaddresses attribute for email address entries 
The context menus have been updated to allow items in output pane to be added to the Resolver and has a shortcut key of Crtl+R
Added status bar which displays total and selected items counts

Schema Class Browser
Added an extra columns that displays the security Property Set and DecodeType for each attribute
Fixed an intermittent exception error
Updated context menu on Where Used form so nested Where Used option can be performed

Schema Versions
Updated to include Exchange 2016 CU18 & 2019 CU7 schema updates

Updated so if an email address is specified then an additional search of the proxyaddresses attribute is included in the search request to the server
Updated to use the GC server details in the Connection Profile
Updated icons for Managed Service Accounts and Group Managed Service Accounts
Added status bar to show number of items returned and selected

User Rights
Added a new tab to display the statistics associated to the access token

Updated the redirection code to support additional record types

HowTo: Retrieving gMSA Password Details

Group Managed Service Account provide accounts that automatically manage password changes, for more details see this article.

This article covers how to use NetTools to view the details of the Group Managed Service Accounts (gMSA) and also view the current and previous password for the accounts.  The gMSAs are stored in the domain partition in the Managed Service Accounts OU.   The Easiest way to retrieve the password is to use the AD Properties dialog, which allows you to copy the password to the clipboard, however to be able to view the password the account retrieving the password must be specified in the msDS-GroupMSAMembership attrtibute of the Group Managed Service Account.

The details in the Password section of the dialog are stored in the msDS-ManagedPassword and msDS-ManagedPasswordId attributes of the object, these can be returned in LDAP Search, however, it does require a specific setup of LDAP Search to return the details as they are protected attributes.

If you create a basic LDAP query you will receive the following error:

In order to retrieve the password details the connection must be encrypted for the attribute details to be return. To encrypt the connection you must use the LDAP Session Options to enable encryption.  The screenshot below shows the steps to complete the configuration.

      1. Click on the Session Options buttons at the end of the server field
      2. Check the tick box for the LDAP_OPT_ENCRYPT option
      3. Double click on the item to configure the option
      4. Change the setting to On and click OK and close the Session Options dialog

Once the Session Option are configured and encryption is enabled on the connection the details of the attribute are returned.