I have decided to publish the DSInternals PowerShell Module, which contains a few cmdlets I use during my lectures about Active Directory security. You can find it in the Downloads section. It currently lacks any documentation, so Get-Help won’t give you nice results, but I am working on that.
Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Import-Module DSInternals $pwd = ConvertTo-SecureString 'Pa$$W0rd' -AsPlainText -Force # Calculate the NT and LM hashes ConvertTo-NTHash $pwd # Output: 92937945b518814341de3f726500d4ff ConvertTo-LMHash $pwd # Output: 727e3576618fa1754a3b108f3fa6cb6d # Set AD account password hash using the SAMR protocol Set-SamAccountPasswordHash -SamAccountName john -Domain ADATUM -NTHash '92937945b518814341de3f726500d4ff' -Server dc1.adatum.com # Calculate the OrgId hash, that is sent to Azure Active Directory by DirSync ConvertTo-OrgIdHash -NTHash '92937945b518814341de3f726500d4ff' # Output: v1;PPH1_MD4,f76bc776428002f87f4b,100,0ab46c4a6351db87cc13323bb01eea073c90a52e376fffca559e57fbb19a441a; # Decrypt a password from Group Policy Preferences ConvertFrom-GPPrefPassword 'v9NWtCCOKEUHkZBxakMd6HLzo4+DzuizXP83EaImqF8' # Output: Pa$$w0rd # Decrypt a password from an unattend.xml file ConvertFrom-UnattendXmlPassword 'UABhACQAJAB3ADAAcgBkAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==' # Output: Pa$$w0rd |
Error reporting
If you find an error in the DSInternals Powershell Module, I would be glad if you sent me an e-mail.
Planned features
I am currently working on these new features, but it will take me some time until they are production-ready:
Offline modification of the ntds.dit file, including the sIDHistory and primaryGroupID attributes.Done- Attribute-level authoritative restore of AD objects
Remote export of account password hashes using the MS-DRSR protocol.Done- Fully functional Get-Help
MSI installer.Deprecated in favor of PowerShellGet.
Tags: Active Directory, Microsoft Azure, PowerShell
What permissions are necsesary to execute this. So far, I can run this as the domain administrator, but not a normal domain user, even for it’s own account.
You would need at least the Reset Password right on that particular account, which only Domain Admins + Account Operators have by default. I am not sure if anything else is required.
What permissions should be set to allow a user to run this? I don’t want to have to use a Domain Administrator privilege account to set this. I tried adding the user to Account Operators group but it did not work. Do you know what permissions should be delegated for it to work? Thank you.
You need to specify the exact command. Each has different requirements.