I was reading about where AD passwords were stored, and I came across a discussion at Microsoft technet forum where the answer was “The password is stored in the AD and LDS database on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search.”
I also read that when a user tries to login, an Authentication Service Request is sent with encrypted timestamp of the user’s password hash and the Domain Controller then decrypts the timestamp using the user’s locally-stored password hash.
What beats me is, how is the hash retrieved if it cannot be read or queried by search? I would highly appreciate any further resources to understand this authentication flow better. 🙂