List of Cmdlets in the DSInternals Module

September 29, 2015 | Michael Grafnetter

Here is the list of cmdlets currently contained in the DSInternals PowerShell module:

Online operations with the Active Directory database

Offline operations with the Active Directory database

  • Get-ADDBAccount – Reads one or more accounts from a ntds.dit file, including the secret attributes.
  • Get-BootKey – Reads the BootKey (aka SysKey) from an online or offline SYSTEM registry hive.
  • Set-ADDBBootKey – Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
  • Get-ADDBBackupKey – Reads the DPAPI backup keys from a ntds.dit file.
  • Add-ADDBSidHistory – Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
  • Set-ADDBPrimaryGroup – Modifies the primaryGroupId attribute of an object in a ntds.dit file.
  • Get-ADDBDomainController – Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
  • Set-ADDBDomainController – Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
  • Get-ADDBSchemaAttribute – Reads AD schema from a ntds.dit file, including datatable column names.
  • Remove-ADDBObject – Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!


The output of the Get-ADDBAccount and Get-ADReplAccount cmdlets can be formatted using these additional Views:

  • HashcatNT – NT hashes in Hashcat‘s format.
  • HashcatLM – LM hashes in Hashcat’s format.
  • JohnNT – NT hashes in the format supported by John the Ripper.
  • JohnLM – LM hashes in the format supported by John the Ripper.
  • Ophcrack – NT and LM hashes in Ophcrack‘s format.

Password hash calculation

Password decryption


  • Test-PasswordQuality – Performs AD audit, including checks for weak, duplicate, default and empty passwords.
  • Save-DPAPIBlob – Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
  • ConvertTo-Hex – Helper cmdlet that converts binary input to the hexadecimal string format.

I promise to publish more information about my cmdlets in the near future.

Tags: , , , , ,

18 comments on “List of Cmdlets in the DSInternals Module

  1. TamasKiss says:

    Dear Michael Grafnetter! I would like to use a 700MB password dictionary, but the ConvertTo-NtHashDictionary use more than 8GB memory, and i get insufficient memory error. Could you suggest to me how to use this cmdlet with very big password dictionary (memory saving solution)? Best regards, Tamas Kiss

    • Michael Grafnetter says:

      Dear Tamas, I am aware of that problem. The Thycotic Weak Password Finder contains updated codebase which supports even larger dictionaries than 700MB.

  2. TamasKiss says:

    Dear Michael!

    Does Tycotic support the command line execution for automated tasks? Scheduled task for example?

    Best regards

    • Michael Grafnetter says:

      No, command line execution is not supported. Do you really need to generate those reports that often? If you are only interested in dictionary or brute force attacks against NTLM hashes, you could use DSInternals to export password hashes in a format understood by hashcat or john the ripper. These can be automated and provide much better performance. But automating this process would be quite geeky.

  3. TamasKiss says:

    Dear Michael!

    Thanks for your advices! Could You explain to me or provide a link to me about “These administrative accounts are allowed to be delegated to a service” In this section I have a user who shouldnt be there, but i cant find any information related to this “delegated to service”?
    Can I find somewhere the full source code to see what kind of properties the script uses?

    Best regards,
    Tamas Kiss

  4. John Pell says:

    Hi! Ever looked at the objectGUID property? I’m looking for a way to modify a group’s existing objectGUID or create a new group with a specificed objectGUID. I can’t say I’m any good with the code…

    • Michael Grafnetter says:

      Hi John, what motivation would you have to inject a specific objectGuid value?

      • John Pell says:

        I’m trying to abuse Azure AD. 😃 I want to tie an existing security group in ADDS to a Unified Group in Azure AD (“Office 365 Group”), which is very not supported.

  5. Dazza says:

    Hi, does the module work with .NET 4.7.2? The term ‘Get-ADReplAccount’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    • Michael Grafnetter says:

      Hi Andrei, this is currently not possible. You can mount a ntds.dit DB using dsamain.exe and get the pwdLastSet values. Expiration is complex, as you would need to analyse Fine-Grained Password Policies, not just the Default Domain Policy.

    • Michael Grafnetter says:

      Hi, it should work. How did you get and import the module?

  6. Amit says:

    While executing the command, i am receiving below error.
    Please help. I have already added DSInternals PowerShell module.

    PS C:\Extract> Get-ADDBAccount -DBPath ‘C:\Extract\ntds.dit’ -BootKey $key
    Get-ADDBAccount : Cannot validate argument on parameter ‘BootKey’. The argument is null. Provide a valid value for the argument, and then try running the command again.
    At line:1 char:56
    + Get-ADDBAccount -DBPath ‘C:\Extract\ntds.dit’ -BootKey $key
    + ~~~~
    + CategoryInfo : InvalidData: (:) [Get-ADDBAccount], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,DSInternals.PowerShell.Commands.GetADDBAccountCommand

    PS C:\Extract>

  7. John Smith says:

    Hello, When I run this using the online method with the DCSync privileges, we get outputs of various accounts (either user or computer) that do not exist in our AD directory. Is that something to do with orphaned objects or tombstoned objects ? Not sure where this is coming from. Thanks.

  8. Aaron says:

    Anyway through your module to look at group membership in the ntds.dit file?

Leave a Reply

Your email address will not be published.