By default user account passwords are stored as password hash (Hash is based on one-way encryption, which means you can’t reverse it to get plaintext). These hashes are stored in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have to change the way it is stored in AD. You have store passwords ciphered with reversible encryption algorithm.
To enable this option globally:
1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right click on your domain and select Properties.
3. In the Group Policy tab, select "Default Domain Policy" and click Edit.
4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
5. Right click on "Store password using reversible encryption for all users in the domain" and select Security.
6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK.
7. Close all applications and restart the computer, and log into your domain.
To enable this option for a specific user:
1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right-click on the user and select Properties.
3. In the Account tab, check "Store password using reversible encryption." Click OK.
4. Close all applications and restart the computer, and log into your domain.
When this is enabled (per user or for the entire domain), Windows stores the password encrypted, but in such a way that it can reverse the encryption and recover the plaintext password. This feature exists because some authentication protocols require the plaintext password to function correctly; the two most common examples are HTTP Digest Authentication and CHAP.
Niels Teusink have done great research on it
http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
He also developed a nice tool called “RevDump” to decipher this encrypted password.
