How does a legitmate administrator get a user's password in ActiveDirectory?

If a password is stored with reversable encryption in Active Dir开发者_如何学Cectory, how does an administrator/developer extract and decrypt this password?

Specifically, I'm referring to this setting.

The following series of blog posts explains some details:

Passwords stored using reversible encryption: how it works (part 1)

Passwords stored using reversible encryption: how it works (part 2)

The author of this blog, Niels Teusink, also made the source code of his tool RevDump available for download.

It goes without saying that reversible encryption should not be used globally and only in very exceptional cases.

Although Dirk's answer is correct, the RevDump tool only works on Windows Server 2003, as newer versions of Windows store the reversibly encrypted passwords in a different way. Therefore I have created a new tool that supports Windows Server 2008+.

Simplest usage example:

Get-ADReplAccount -SamAccountName April -Domain Adatum -Server LON-DC1

Sample output (partial):

DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com
Sid: S-1-5-21-3180365339-800773672-3767752645-1375
SamAccountName: April
SamAccountType: User
NTHash: 92937945b518814341de3f726500d4ff
SupplementalCredentials:
  ClearText: Pa$$w0rd