I have decided to publish the DSInternals PowerShell Module, which contains a few cmdlets I use during my lectures about Active Directory security. You can find it in the Downloads section. It currently lacks any documentation, so Get-Help won’t give you nice results, but I am working on that.
Examples
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Import-Module DSInternals $pwd = ConvertTo-SecureString 'Pa$$W0rd' -AsPlainText -Force # Calculate the NT and LM hashes ConvertTo-NTHash $pwd # Output: 92937945b518814341de3f726500d4ff ConvertTo-LMHash $pwd # Output: 727e3576618fa1754a3b108f3fa6cb6d # Set AD account password hash using the SAMR protocol Set-SamAccountPasswordHash -SamAccountName john -Domain ADATUM -NTHash '92937945b518814341de3f726500d4ff' -Server dc1.adatum.com # Calculate the OrgId hash, that is sent to Azure Active Directory by DirSync ConvertTo-OrgIdHash -NTHash '92937945b518814341de3f726500d4ff' # Output: v1;PPH1_MD4,f76bc776428002f87f4b,100,0ab46c4a6351db87cc13323bb01eea073c90a52e376fffca559e57fbb19a441a; # Decrypt a password from Group Policy Preferences ConvertFrom-GPPrefPassword 'v9NWtCCOKEUHkZBxakMd6HLzo4+DzuizXP83EaImqF8' # Output: Pa$$w0rd # Decrypt a password from an unattend.xml file ConvertFrom-UnattendXmlPassword 'UABhACQAJAB3ADAAcgBkAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==' # Output: Pa$$w0rd |
Error reporting
If you find an error in the DSInternals Powershell Module, I would be glad if you sent me an e-mail.
Planned features
I am currently working on these new features, but it will take me some time until they are production-ready:
Offline modification of the ntds.dit file, including the sIDHistory and primaryGroupID attributes.Done- Attribute-level authoritative restore of AD objects
Remote export of account password hashes using the MS-DRSR protocol.Done- Fully functional Get-Help
MSI installer.Deprecated in favor of PowerShellGet.
Tags: Active Directory, Microsoft Azure, PowerShell
What permissions are necsesary to execute this. So far, I can run this as the domain administrator, but not a normal domain user, even for it’s own account.
You would need at least the Reset Password right on that particular account, which only Domain Admins + Account Operators have by default. I am not sure if anything else is required.