Normally AD passwords can’t and aren’t unencrypted – when you pass your credentials to logon your encrypted password is compared to the encrypted password that’s stored. There are occasional situations where the password has to be decrypted – which is why we get an option to store the password in a form that allows decryption.
These posts are presented for completeness & storing passwords in this form is not recommended
$ou = "OU=England,DC=Manticore,DC=org" "`nMicrosoft" $name = "UserA" Get-ADUser -Identity $name | Set-ADAccountControl -AllowReversiblePasswordEncryption:$true "`nAD provider" $name = "UserB" $dn = "cn=$name,$ou" $flag = (Get-ItemProperty -Path AD:\$dn -Name useraccountcontrol).useraccountcontrol -bxor 128 Set-ItemProperty -Path AD:\$dn -Name useraccountcontrol -Value "$flag" -Confirm:$false "`nQuest" $name = "UserC" $user = Get-QADUser -Identity $name -IncludeAllProperties $flag = $user.userAccountControl -bxor 128 $user.userAccountControl = $flag Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag} "`nScript" $name = "UserD" $dn = "cn=$name,$ou" $user = [adsi]"LDAP://$dn" $flag = $user.userAccountControl.value -bxor 128 $user.userAccountControl = $flag $user.SetInfo()
This setting is controlled by the userAccountControl attribute.
The Microsoft cmdlets give is a cmdlet and parameter to deal with this job.
For all other cases we need to toggle on the 128 bit on the userAccountControl attribute
