Retrieving Cleartext GMSA Passwords from Active Directory

December 28, 2015 | Michael Grafnetter

Have you ever wondered how the automatically generated passwords of Group Managed Service Accounts (GMSA) look like? Well, you can fetch them from Active Directory in the same way as Windows Servers do and see yourself. Here is how:

Creating a GMSA

To start experimenting, we need to have a GMSA first, so we create one:

We can check the result in the Active Directory Users and Computers console:

Group Managed Service AccountUnfortunately, the built-in GUI will not help us much when working with GMSAs. Although there is a nice 3rd party tool, we will stick to PowerShell.

Setting the Managed Password ACL

Now we need to provide a list of principals that are allowed to retrieve the plaintext password from DCs through LDAP. Normally, we would grant this privilege to one or more servers (members of the same cluster/web farm). But we will grant the privilege to ourselves instead:

Of course, you should not use the built-in Administrator account in a production environment.

Retrieving the Managed Password

Now comes the fun part:

Note that until now, we have only used regular, built-in cmdlets from the ActiveDirectory module, courtesy of Microsoft.

Decoding the Managed Password

Let’s have a look at the msDS-ManagedPassword attribute, that has been returned by the command above. It is a constructed attribute, which means that its value is calculated by DC from the KDS root key and the msDS-ManagedPasswordId attribute every time someone asks for it. Although documented, the cryptographic algorithm used is quite complicated. Furthermore, the value of the msDS-ManagedPasswordId gets re-generated every (msDS-ManagedPasswordInterval)-days (30 by default).

We see that the msDS-ManagedPassword attribute of our GMSA contains a sequence of bytes. It is a binary representation of the MSDS-MANAGEDPASSWORD_BLOB data structure, which contains some metadata in addition to the actual password. As there had been no publicly available tool to decode this structure, I have created one myself:

TADA!!! The CurrentPassword property contains the actual cleartext password of the GMSA in question. Why does it look like gibberish? Because it is just 256 bytes of pseudorandom data, interpreted as 128 UTF-16 characters. Good luck writing that on your keyboard. But if we calculate its NT hash, it will match the hash stored in AD.


We have seen that retrieving the value of GMSA passwords is quite easy. But don’t be afraid, there is no security hole in Active Directory. The cleartext password is always passed through an encrypted channel, it is automatically changed on a regular basis and even members of the Domain  Admins group are not allowed to retrieve it by default. So do not hesitate and start using the (Group) Managed Service Accounts. They are much safer than using regular accounts for running services.

If you want to play more with this stuff, just grab the DSInternals module. And for developers, the C# code I use to decode the structure can be found on GitHub.

Tags: , , ,

10 comments on “Retrieving Cleartext GMSA Passwords from Active Directory

  1. sanjeevi says:

    how retrieve the password from gMSA account,
    CurrentPassword : 湤ୟɰ橣낔饔ᦺ几᧾ʞꈠ
    how to covert this value into plain text

    • Michael Grafnetter says:

      Sanjeevi, that cryptic CurrentPassword value IS PLAIN TEXT. You can copy and paste it to a password text box and it should work.

  2. krishn says:

    am missing this attribute: msDS-ManagedPassword
    how can we get to populate this on gmsa account

    • Michael Grafnetter says:

      You do not populate this attribute, as it is a constructed one (calculated by DC when accessed through LDAP).

  3. SMD says:

    I’m trying to follow this procedure using an existing GMSA account. It’s not working. I was able to figure out how to dump all of the account properties and saw a couple of interesting things:
    AllowReversiblePasswordEncryption : False
    msDS-ManagedPasswordId : {1, 0, 0, 0…} The AllowReversiblePasswordEncryption is set to false and there’s no msDS-ManagedPassword property.

    Am I going to be able to extract the plain text password from the account?

    • Michael Grafnetter says:

      Sure. You need to have the permissions to retrieve the managed password and then you explicitly need to ask for the msDS-ManagedPassword attribute.

  4. DE says:

    I know GMSA accounts are designed for services, app pools, and scheduler tasks. They can also be used to run EXEs using Psexec. But how could one use the extracted GMSA password to run a thread or process since GMSA accounts do not support interactive logins?

    • Michael Grafnetter says:

      Of course, these accounts are not intended for this purpose. But one could use “runas /netonly”, which would only perform network logon.

  5. Russell says:

    I can successfully retrieve the cleartext password, and can use it to successfully establish the WMI connection using the CurrentPassword property as below:

    However, when I copy the password and paste it to the same WMI connection command, the WMI connection failed, which is most likely due to the wrong password.

    It should be caused by the encoding issue, how can I save the cleartext password and then use it in other places? Thanks.

Leave a Reply to krishn Cancel reply

Your email address will not be published.