One of the most frequent questions I am asked about the DSInternals PowerShell Module cmdlets that fetch password hashes from Active Directory (Get-ADReplAccount and Get-ADDBAccount) is whether they could only return accounts from a specified organizational unit (OU). While OU-based filtering is not yet implemented in DSInternals directly, two PowerShell built-in features could be used to achieve this goal.
The Where-Object cmdlet can easily be used to filter out unwanted objects based on any property, including OU:
<# Replicates all AD accounts (DCSync), filters them by the Admins OU, and tests their passwords against Have I Been Pwned (HIBP) list. #> Get-ADReplAccount -All -Server 'dc01.contoso.com' | Where-Object DistinguishedName -like '*,OU=Admins,DC=contoso,DC=com' | Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v7.txt
Active Directory Password Quality Report ---------------------------------------- Passwords of these accounts are stored using reversible encryption: CONTOSO\Administrator LM hashes of passwords of these accounts are present: These accounts have no password set: Passwords of these accounts have been found in the dictionary: CONTOSO\Administrator CONTOSO\jdoe_admin These groups of accounts have the same passwords: Group 1: CONTOSO\dholden_admin CONTOSO\jsmith_admin Group 2: CONTOSO\pgoldman_admin CONTOSO\sgates_admin These computer accounts have default passwords: Kerberos AES keys are missing from these accounts: CONTOSO\Administrator Kerberos pre-authentication is not required for these accounts: Only DES encryption is allowed to be used with these accounts: These accounts are susceptible to the Kerberoasting attack: CONTOSO\jsmith_admin These administrative accounts are allowed to be delegated to a service: CONTOSO\Administrator CONTOSO\dholden_admin CONTOSO\jsmith_admin Passwords of these accounts will never expire: CONTOSO\Administrator These accounts are not required to have a password: These accounts that require smart card authentication have a password: CONTOSO\jsmith_admin
The second option is to first fetch the desired accounts using the Get-ADUser cmdlet and then pipe them into DSInternals:
<# Fetches the list of all acounts from the Admins OU, replicates their passwords, and checks them against the HIBP list. #> Get-ADUser -SearchBase 'OU=Admins,DC=contoso,DC=com' -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount -Server 'dc01.contoso.com' | Test-PasswordQuality -WeakPasswordHashesSortedFile pwned-passwords-ntlm-ordered-by-hash-v7.txt
I will probably add these two examples to the Get-Help documentation.