diff --git a/dissect/database/ese/ntds/c_ds.py b/dissect/database/ese/ntds/c_ds.py
index f521b44..80e68da 100644
--- a/dissect/database/ese/ntds/c_ds.py
+++ b/dissect/database/ese/ntds/c_ds.py
@@ -90,5 +90,12 @@
     CHAR    Reserved3[12];
     CHAR    Hash[29][16];                   // The formal definition has Hash1, Hash2, ..., Hash29
 } WDIGEST_CREDENTIALS;
+
+typedef struct _GMS_MANAGED_PASSWORD {
+    WORD    Version;
+    WORD    Reserved;
+    DWORD   Length;
+    CHAR    Password[Length];
+} GMS_MANAGED_PASSWORD;
 """
 c_ds = cstruct(ds_def)
diff --git a/dissect/database/ese/ntds/c_ds.pyi b/dissect/database/ese/ntds/c_ds.pyi
index 696aec0..f1e08c3 100644
--- a/dissect/database/ese/ntds/c_ds.pyi
+++ b/dissect/database/ese/ntds/c_ds.pyi
@@ -324,6 +324,23 @@ class _c_ds(__cs__.cstruct):
         def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
 
     WDIGEST_CREDENTIALS: TypeAlias = _WDIGEST_CREDENTIALS
+    class _GMS_MANAGED_PASSWORD(__cs__.Structure):
+        Version: _c_ds.uint16
+        Reserved: _c_ds.uint16
+        Length: _c_ds.uint32
+        Password: __cs__.Array[__cs__.CharArray]
+        @overload
+        def __init__(
+            self,
+            Version: _c_ds.uint16 | None = ...,
+            Reserved: _c_ds.uint16 | None = ...,
+            Length: _c_ds.uint32 | None = ...,
+            Password: __cs__.Array[__cs__.CharArray] | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    GMS_MANAGED_PASSWORD: TypeAlias = _GMS_MANAGED_PASSWORD
 
 # Technically `c_ds` is an instance of `_c_ds`, but then we can't use it in type hints
 c_ds: TypeAlias = _c_ds
diff --git a/dissect/database/ese/ntds/util.py b/dissect/database/ese/ntds/util.py
index fba7631..48b9a7d 100644
--- a/dissect/database/ese/ntds/util.py
+++ b/dissect/database/ese/ntds/util.py
@@ -267,6 +267,7 @@ def _decode_pwd_history(db: Database, value: list[bytes]) -> list[bytes]:
     "trustAuthIncoming": (None, _pek_decrypt),
     "trustAuthOutgoing": (None, _pek_decrypt),
     "msDS-ExecuteScriptPassword": (None, _pek_decrypt),
+    "msDS-ManagedPassword": (None, lambda db, value: bytearray(c_ds.GMS_MANAGED_PASSWORD(value).Password).hex()),
 }
 
 ATTRIBUTE_LIST_ENCODE_DECODE_MAP: dict[