EDIT: Can anybody actually answer the question? Thanks, I don't need no audit trail, I WILL know all the passwords and users can't change them and I will continue to do so.
This is not for hacking!
We recently migrated away from a old and rusty Linux/Samba domain to an active directory. We had a custom little interface to manage accounts there. It always stored the passwords of all users and all service accounts in cleartext in a secure location (Of course, many of you will certainly not think of this a being secure, but without real exploits nobody could read that) and disabled password changing on the samba domain controller.
In addition, no user can ever select his own passwords, we create them using pwgen. We don't change them every 40 days or so, but only every 2 years to reward employees for really learning them and NOT writing them down.
We need the passwords to e.g. go into user accounts and modify settings that are too complicated for group policies or to help users.
These might certainly be controversial policies, but I want to continue them on AD.
Now I save new accounts and their PWGEN-generated (pwgen creates nice sounding random words with nice amounts of vowels, consonants and numbers) manually into the old text-file that the old scripts used to maintain automatically.
How can I get this functionality back in AD?
I see that there is "reversible encryption" in AD accounts, probably for challenge response authentication systems that need the cleartext password stored on the server.
Is there a script that displays all these passwords? That would be great.
(Again: I trust my DC not to be compromised.)
Or can I have a plugin into AD users&computers that gets a notification of every new password and stores it into a file?
On clients that is possible with GINA-dlls, they can get notified about passwords and get the cleartext.