Retrieving Active Directory Passwords Remotely

August 4, 2015 | Michael Grafnetter

I have finally finished work on the Get-ADReplAccount cmdlet, the newest addition to my DSInternals PowerShell Module, that can retrieve reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from remote domain controllers. This is achieved by simulating the behavior of the dcromo tool and creating a replica of Active Directory database through the MS-DRSR protocol. Furthermore, it has these properties:

  • It does not even need the Domain Admins group membership. The Replicating Directory Changes All permission is more than enough for this cmdlet to do its job.
  • It opens door to other attacks, e.g. pass-the-hash, pass-the-ticket or PAC spoofing, that can be used to seize control of the entire Active Directory forest. Long live mimikatz!
  • It cannot be effectively blocked by firewalls, because the directory replication service (the DRSGetNCChanges call to be more precise) shares the same port with other critical services, like user name resolution (exposed by the DsCrackNames call).
  • It only uses documented features of Active Directory and is not a hack per se.
  • It leaves only minimal footprint on Domain Conrollers and can be easily overlooked by security audits.

Usage example:

Sample output:

You could even dump all accounts at once, but this can cause heavy (=suspicious) replication traffic:

Tags: , ,

130 comments on “Retrieving Active Directory Passwords Remotely

  1. user says:

    hi where do you read ClearText password from? from which user attribute?

    • Michael Grafnetter says:

      Hi, the cleartext password is contained in the secret supplementalCredentials attribute, which is never sent through LDAP.

  2. user says:

    Thank you. I have One more question: Wdigest hash is MD5 of user:realm:password. Real can be empty according to MS. However in your example none of MD5 matches the AprilPa$$w0rd MD5 ;/

    • Michael Grafnetter says:

      But the first one definitely matches “April:ADATUM:Pa$$w0rd”. See the MS article, but use colons instead of commas as delimiters.

  3. B.K. says:

    Thanks for the cool module. I am trying to export hashed password from windows 2008 R2 sp1. I have installed PowerShell 5 and install DSInternal from Powershell Gallery. But I got the following error message when I tries to dump all the user information. Is there anything to check to fix this issue?


    PS C:\Users\Administrator> Get-ADReplAccount -All -NamingContext ‘DC=xxxx,DC=xx’ -Server infraAD
    Get-ADReplAccount : Method not found: ‘IntPtr
    At line:1 char:1
    + Get-ADReplAccount -All -NamingContext ‘DC=xxxx,DC=xx’ -Server i …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], MissingMethodException
    + FullyQualifiedErrorId : System.MissingMethodException,DSInternals.PowerShell.Commands.GetADReplAccountCommand

    • Michael Grafnetter says:

      Thx for the report. Could you please check your version of .NET Framework? Is it 4.5.1+?

  4. B.K. says:

    Thanks Michael. It is working fine after installing .NET 4.5.1. I was not working on .NET 4.5.


  5. B.K. says:

    I have one more question. Can we use this PowerShell in AD LDS? I just tried this one on AD LDS. It showed the following error message.

    PS C:\DSInternals> Get-ADReplAccount -All -NamingContext ‘cn=users,dc=idg,dc=ca’ -Server IDG:50000
    Get-ADReplAccount : The RPC server is unavailable
    At line:1 char:1
    + Get-ADReplAccount -All -NamingContext ‘cn=users,dc=idg,dc=ca’ -Server I …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,DSInternals.PowerShell.Commands.GetADReplAccountCom

    • Michael Grafnetter says:

      Only a few of the cmdlets work with AD LDS, like Get-ADDBDomainController against adamntds.dit. Regarding replication, I have not tried it yet, as it is not enabled by default.

  6. Uwe says:


    Could these functions used to do a sync of passwords between two domains. I tried to do

    Get-ADReplAccount and afterwards

    et-SamAccountPasswordHash -SamAccountName teste -Domain Test -NTHash $TestUser.NTHash

    There is a format issue with the NTHash.

    Could you give me a hand?


    • Michael Grafnetter says:

      Yes, Uwe, password sync is one of the reasons I created this tool for. Try this:
      Set-SamAccountPasswordHash -SamAccountName teste -Domain Test -NTHash (ConvertTo-Hex $TestUser.NTHash) The Set-SamAccountPasswordHash cmdlet only accepts hex string as NTHash, not a byte array. This is a design choice I made and it has both pros and cons.

  7. John says:

    Hi Michael, I have a quick question. The ClearText field is empty. Am I doing something wrong?

    Thank you

    • Michael Grafnetter says:

      Hi John, the ClearText field only contains a value if the option “Store password using reversible encryption” is enabled on the specific account or globally.

  8. john says:

    Hi, I selected “store password using reversible encryption” but it is still empty (clear text filed)

  9. John says:

    Hi Michael,
    my bad. I didn’t pay attention. Thank you. If the AD account doesn’t use reversible encryption and then later on I just check the “Store password using reversible encryption” will it display the password then?

    • Michael Grafnetter says:

      Even if you check that option, AD still does not know the cleartext password. The cleartext password will be saved as soon that user changes his password. The same is true with unchecking that option: The cleartext password will be deleted during the next password change.

  10. John says:

    I see. Thank you Michael.

  11. Michael says:

    Hi Michael, is it possible to Write the LMHash (in Detail the password without knowing it) back to another AD (for Sync) via PS or C#?

    Thanks for the GREAT! Work.
    Greets Michael

    • Michael Grafnetter says:

      NT/LM password hash writeback is possible using my Set-SamAccountPasswordHash PS cmdlet or the DSInternals.SAM NuGet .NET library, but I would stick to using NT hashes only. I have not found out a simple way of doing kerberos key writeback.

  12. Laurent says:

    Hello Michael,

    Would it be possible to restrict NamingContext to a specific OU in order to check security on a very specific OU instead of the whole AD?

    Second question : is it possible to define which kind of SamAccountType object to retrieve? I’ve tried to define SamAccountType User in addition to the request you provided but not working.

    Any help appreciated.

    Great job by the way, love it!


    • Michael Grafnetter says:

      Hello Laurent, the replication protocol by itself does not support such filters. But you could use
      Where-Object DistinguishedName -like "*,OU=" in the middle of the pipeline. Or, for small OUs, you could replicate the objects one by one:
      Get-ADUser -SearchBase "OU=..." -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount ... | Test-...

  13. Laurent says:

    Worked perfectly, thanks a lot Michael!

  14. Arsen says:

    Hello Michael, I used Win10 with .NetFramework v.4.6.1, when I run the comman as you described, I’ve got an error: “Get-ADReplAccount : The distinguished name specified for this replication operation is invalid”.

    Could you please help with this?

  15. Eduard says:

    Hi Michael,

    Using your example, in the results that I get back the LMHash is empty. Is it also because the option “Store password using reversible encryption” is not enabled on the account or globally? Or is it something else?


  16. Kendall says:

    I love that Get-ADReplAccount shows the ClearText password for accounts that have reversible encryption enabled. In your sample output above it shows the field “ClearText:” and that works fine in practice for me as well. However if I just want to create a list, using the following:

    get-aduser -filter * -searchbase … | Get-ADReplAccount -Domain … -Server … | select SamAccountName, ClearText The cleartext is blank.

    How can I access the ‘cleartext’ field without having to dump the full output of Get-AdReplAccount. Ideally, my output would be:

    SamAccountName, ClearText

    Sorry to bore you with a simple formating question, but I’m stumped.

    • Michael Grafnetter says:

      Hi Kendall,

      Try to do this:

      Get-ADReplAccount ... | select SamAccountName, @{ Name = 'ClearText'; Expression = { $PSItem.SupplementalCredentials.ClearText } }


  17. Kendall says:

    Worked Perfectly! You are God-like.



  18. Todd says:

    I get the following error:

    Get-ADReplAccount : Access is denied I verified the da account can run Powershell..

    This command works fine.

    powershell Invoke-Command -ComputerName dc1 -ScriptBlock { Get-ChildItem C:\ } -credential domain1\domainadm

    What other user rights does this need? The account is a Domain Admin.

    Its a Windows 2012R2 Domain functional level. The account is in the ‘Protected Users’ Group.

  19. Todd says:

    Yes. Apparently putting a Domain Admin in the Protected Users group will block this.

    • Michael Grafnetter says:

      OK, I will look into it, Todd. It would appear that only NTLM auth works with Get-ADReplAccount, not Kerberos, but I have to verify that.

  20. Eduard says:

    Hi Michael,

    What could be the reason that LM hashes from LMHashHistory do not match the actual passwords? For instance, When I generate the LM and NTLM hashes from the current password, Hash 01 from NTHashHistory matches, but Hash 01 from LMHashHistory does not match.


    • Michael Grafnetter says:

      Hi Eduard, it might be caused by the fact that storing LM hashes is disabled by default since Windows Server 2003. A random value is probably stored in the history, I would guess.

  21. Eduard says:


    Another question: what are the WDigest hashes returned by Get-ADReplAccount? That is, where would they show up on the client machine?


    • Michael Grafnetter says:

      Hi Eduard, the WDigest hashes are used during Digest/MD5 authentication, which Windows Server supports with HTTP (IIS) and LDAP (AD). It is a deprecated authentication scheme and should not be used. AD stores these hashes for compatibility reasons.

  22. sam says:

    Excellent work ! So I guess the default domain policy of having no reversible encryption is still safe as retrieving methods on this have not yet been found?

    • Michael Grafnetter says:

      Yes, the default policy is safe. But some companies had to enable storing passwords using reversible encryption because of legacy PAP VPN authentication. Personally, I have never been in such situation.

      • Bernd says:

        In my case it was required for DIGEST-MD5 SASL binds with AD. I am not sure if this uses the cleartext password or if it uses the WDigest hashes, at least it does not work when disabling the option.

  23. Joel says:


    How do I pull the LMHash and WDigest hash information out of the DSAccount object? I’m storing the object in a variable like so:

    $TesterObject = Get-ADReplAccount -SamAccountName username -Domain DOMAINNAME -Server I see that LMHash is a system.byte but I’m having trouble converting that back into a string.

    Similarly with the WDigest if I reference $TesterObject.SupplementalCredentials.WDigest I get a byte array/


    • Michael Grafnetter says:

      Dear Joel, you can use my ConvertTo-Hex cmdlet to convert byte[] to a hexadecimal string.

  24. Peter says:

    Thanks for producing this tool – fantastic! I hope you have a minute for a couple of questions:
    1- Is NTHash the value of UnicodePwd (just not base64-encoded) ?
    2- I’m trying to generate a complete list of users from AD to have all their attributes AND their UnicodePwd. Any idea if I can ask for other LDAP attributes with ‘Get-ADReplAccount’ or how to combine the output of this with that of ‘Get-ADUser’ to generate such a list?

  25. Harpaslinh Zala says:

    Hello Michael, I am trying to retrieve password from Windows 7 Computer with AD domain Credential however I am getting below error.

    PS C:\Windows\system32> $cred =Get-credential

    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    PS C:\Windows\system32> Get-ADReplAccount -SamAccountName zharpal -domain magoteaux -server rajkot-dc-02
    Get-ADReplAccount : Access is denied
    At line:1 char:1
    + Get-ADReplAccount -SamAccountName zharpal -domain magoteaux -server r …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountCo

    • Michael Grafnetter says:

      Dear Harpaslin, you have apparently skipped the -Credential parameter of the Get-ADReplAccount cmdlet.

  26. Harpaslinh Zala says:

    PS C:\Windows\system32> Import-Module dsinternals
    PS C:\Windows\system32> $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $cred -Protocol TCP
    Get-Credential : A positional parameter cannot be found that accepts argument ‘Get-ADReplAccount’.
    At line:1 char:9
    + $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Dom …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-Credential], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand I am getting as this error now.

  27. Harpaslinh Zala says:

    PS C:\Windows\system32> Import-Module dsinternals
    PS C:\Windows\system32> $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $cred -Protocol TCP
    Get-Credential : A positional parameter cannot be found that accepts argument ‘Get-ADReplAccount’.
    At line:1 char:9
    + $cred = Get-Credential Get-ADReplAccount -SamAccountName zharpal -Dom …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-Credential], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand

  28. Harpaslinh Zala says:

    I got result now but there is no clear Text so I can’t recover password now.

    PS C:\Windows\system32> Get-ADReplAccount -SamAccountName zharpal -Domain magotteaux -Server rajkot-dc-02 -Credential $c
    red -Protocol TCP

    DistinguishedName: CN=Zala Harpal,OU=Regular Accounts,OU=Mail,OU=Users,OU=Rajkot,OU=ASIA_PAC,DC=magotteaux,DC=org
    Sid: S-1-5-21-443316275-3401568197-975265098-16922
    Guid: cc9fba28-fc97-42e8-afea-271eaf8055ca
    SamAccountName: zharpal
    SamAccountType: User
    PrimaryGroupId: 513
    Enabled: True
    UserAccountControl: NormalAccount
    AdminCount: False
    Deleted: False
    DisplayName: Zala Harpal
    GivenName: Zala
    Surname: Harpal
    Description: Information Technology
    SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
    Owner: S-1-5-21-443316275-3401568197-975265098-512
    NTHash: e5e9e197413856f5ca1a53df54d0d66c
    LMHash: c081b956d54a2ef28b88eb25b9c5dfca
    Hash 01: e5e9e197413856f5ca1a53df54d0d66c
    Hash 02: 531cfd9485f0b36e67044cff50076d17
    Hash 03: 3a95deb7a07780448aad279003bc5db0
    Hash 01: c081b956d54a2ef28b88eb25b9c5dfca
    Hash 02: c081b956d54a2ef2ff17365faf1ffe89
    Hash 03: c081b956d54a2ef21aa818381e4e281b
    Key: d9cb2338107920b3
    Key: e5e9e197413856f5ca1a53df54d0d66c
    Key: 496854755b6e8c6d
    Key: 531cfd9485f0b36e67044cff50076d17
    Salt: MAGOTTEAUX.ORGzharpal
    Flags: 0
    Key: 62fc62a23eb51f080f43e1f8e9b79dc1f97f40ced9fb4eed9ae1f5ac8a23687c
    Iterations: 4096
    Key: 27a3d09ea1c1885de6afbac4c7b76896
    Iterations: 4096
    Key: d9cb2338107920b3
    Iterations: 4096
    Key: e5e9e197413856f5ca1a53df54d0d66c
    Iterations: 4096
    Key: 47987752a4d56dc4cd95114b0147978ba3399dc93b126f50de62b60ee99c7c3b
    Iterations: 4096
    Key: 01a33041000d27c15d4a21d4c0740718
    Iterations: 4096
    Key: 496854755b6e8c6d
    Iterations: 4096
    Key: 531cfd9485f0b36e67044cff50076d17
    Iterations: 4096
    Key: aa6caa7a47da316fc54385662c43bb6d777aefbd98714a03ad2dd5f9a10fab83
    Iterations: 4096
    Key: ce670374a1f5dec8d3c42bc0dc031bc8
    Iterations: 4096
    Key: 9bc70e438f642f86
    Iterations: 4096
    Key: 549f8a5529710faec814f5eeb77c984a
    Iterations: 4096
    Salt: MAGOTTEAUX.ORGzharpal
    DefaultIterationCount: 4096
    Flags: 0
    Hash 01: e817f77d25c78915a0c67c8a6fd38a14
    Hash 02: 3c46a7a252f5d0582339e9029ebe62da
    Hash 03: c225be841b8eef0e0b245130563a1884
    Hash 04: e817f77d25c78915a0c67c8a6fd38a14
    Hash 05: 3c46a7a252f5d0582339e9029ebe62da
    Hash 06: 87c4dda7d2e2f1c61ba505af997ba741
    Hash 07: e817f77d25c78915a0c67c8a6fd38a14
    Hash 08: 7406d09efe1ccb5dab77e6d79fe54c58
    Hash 09: 7406d09efe1ccb5dab77e6d79fe54c58
    Hash 10: d6b774dba6bccd27d330a14995591f6b
    Hash 11: a17a5a4516dedf6eb5a051bcbb693d0e
    Hash 12: 7406d09efe1ccb5dab77e6d79fe54c58
    Hash 13: efbf1bda044e80cd1810b058f53d2193
    Hash 14: a17a5a4516dedf6eb5a051bcbb693d0e
    Hash 15: 6646d008bd0b39bc8ed0044c2d474c4e
    Hash 16: 6646d008bd0b39bc8ed0044c2d474c4e
    Hash 17: 237c05c30f800d51ccd4205bd102ecaa
    Hash 18: 8e52951364bdaff5caf97b2679f52579
    Hash 19: 22c089987ff1aa6db959e4864e56cffe
    Hash 20: 7b80c4fb70dbd502c236cb56cef0c99f
    Hash 21: 6944c61d63c483808c4ea31b65a0de56
    Hash 22: 6944c61d63c483808c4ea31b65a0de56
    Hash 23: cafb121216fe8be97a14d6db0fe92553
    Hash 24: db020ade5728f0b8e3232729cf3e75fc
    Hash 25: db020ade5728f0b8e3232729cf3e75fc
    Hash 26: d77bfbf442d9d7fafbbe7674ff6f9577
    Hash 27: 374de3f060fbf629d46434d34294c303
    Hash 28: f76e702a897886c1aef3676aac46f4db
    Hash 29: b53a9c8b7dbc4823447154fddb579d2f

  29. Harpaslinh Zala says:

    Dear Micheal,

    Please help to get clear text password.

    • Michael Grafnetter says:

      Dear Harpaslinh, the ClearText password is present only if you enable “Store passwords using reversible encryption” in AD. Regarding your previous examples, you apparently forgot to close the sub-command in parenthesis.

  30. maurizio says:

    Hi Michael, for some reason we are not allowed to build a trust between two forests. We must be able via LDAP to create user objects in forest/domain B by retrieving the user objects in domain/forest A. The user objects in domain B must have for some attributes the same values, like samAccount, last & first name. It is possible to “sync” the password hash from A to B so the user normally working in domain A can log on to domain B with the same samaccount and password?

    • Michael Grafnetter says:

      Yes, the Set-SamAccountPasswordHash cmdlet can do that. But only Kerberos-RC4 and NTLM(v2) authentication will work against such accounts.

  31. Jeff says:

    I keep getting an error for DSInternals.Replication.Interop.dll I have checked and the file is not locked. Any idea why?

    Get-ADReplAccount : A procedure imported by ‘DSInternals.Replication.Interop.dll’ could not be loaded.
    At line:1 char:1
    + Get-ADReplAccount -SamAccountName
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,DSInternals.PowerShell.Commands.GetADReplAccountCommand

    • Michael Grafnetter says:

      Jeff, could you please specify your OS, PS version and also send me the stack trace of this exception? Thx.

  32. Anonymous says:

    Hi Michael, first its great stuff 🙂 I wonder how to check which users is member of Domain Admins or local Administrators ? The user blabla is member of Domain Admins and Administrators, but the module didn’t show this correct information even if I log off and log on again, also gpupdate /force on the client didn’t help.

    ***I’ve import the new and I hope the latest module 2.21***.
    I’m trying also (just for test) to check the store password using reversible encryptions for this specific user but the module didn’t get it.
    Please help :))) The Command that I’ve run on the Client:

    Get-ADReplAccount -All -NamingContext ‘DC=test,DC=local’ -Server srv12-01


    DistinguishedName: CN=blabla,CN=Users,DC=test,DC=local
    Sid: S-1-5-21-2984388398-6913812-1553380050-2606
    Guid: e6012490-25a8-4f2f-ae66-2cf7822afcbc
    SamAccountName: blabla
    SamAccountType: User
    UserPrincipalName: blabla@test.local
    PrimaryGroupId: 513
    Enabled: True
    UserAccountControl: PlaintextPasswordAllowed, NormalAccount, PasswordNeverExpires
    AdminCount: False
    Deleted: False
    DisplayName: blabla
    GivenName: blabla
    SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent,
    DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
    Owner: S-1-5-21-2984388398-6913812-1553380050-512

    • Michael Grafnetter says:

      It might take up to 3 hours before the adminCount attribute changes from 0 to 1 after adding a user to Domain Admins. This is standard AD behavior. See this article.

  33. jesus says:

    hi Michael do you know any way to get the clear password from nthash in other words, can i get this data when active directory is 2008 o upper and “Store passwords using reversible encryption” is unchecked?

    • Michael Grafnetter says:

      Hey jesus, there is no way to get the cleartext password from the DB if it is not stored there. But you could try to attack the NTLM hash.

  34. jesus says:

    Hi Michael! I tried this but, i think since w2008 the lm hash is not stored in the A.D. do you know any way to get the lm hash in w2012?

    • Michael Grafnetter says:

      You can only extract the LM hash if it is stored in the DB in the first place. This is disabled by default on modern versions of Windows, but can be enabled by GPO (not recommended).

  35. JD says:

    Hey Michael, I’m using your code across domains but am being blocked by a firewall. What port needs to be open to run Get-ADReplAccount?

    Thanks in advance.

  36. Seb says:

    Hello Michael I see you use MS-DRSR in the DSInternals module to dump hashes from a DC.
    Can it be done locally without using MS-DRSR ? I need to dump hashes in order to sync them elsewhere, i’d like to avoid as much third party tools as possible (please take no offense), and just give the Ds-Replication-Get-Changes-All privilege to a service account and dump the hashes on the simplest way possible. Do you see a way to do so ?

    Thanks in advance

    • Michael Grafnetter says:

      You can either use MS-DRSR or password filters. There is no other online supported way of retrieving password hashes.

  37. Grant says:

    Hi Michael, we have disabled LM Hashes in the domain but there are a large number of accounts that still have them stored in AD because they haven’t updated their password. I’m using your tool to write a script to change them using a combination of Get-ADReplAccount and Set-SamAccountPasswordHash which is working quite well. I want to run this in a script and log the output fully but the problem I have is that the LMHash attribute of the users is stored in a byte array that needs to be converted to a string to log properly. This is obviously done for the Get-ADReplAccount command as it displays it in a string during the output.

    Can you point me to where that output is configured in the code source so I can use the same mechanism to output the LMhashes as strings in my script?

  38. Grant says:

    Nevermind I worked out a method using:
    “$($account.nthash | % {$_.tostring(“x”)})” -replace ” “,””

  39. noobs says:

    hi Michael,

    could you please show me how to use your ConvertTo-Hex cmdlet? current expression is :

    Get-ADReplicationaccount –all -Domain secret –server Test
    | select samaccountname, @{name = ‘NTHash’; Expression = {$PSItem.NTHash} } >……output.txt the output in the NThash column is {000,000,000,000…}

    • Michael Grafnetter says:

      @{name = ‘NTHash’; Expression = { ConvertTo-Hex $PSItem.NTHash} } Or you can use one of the Views instead, e.g.:
      Get-ADReplicationaccount –all -Domain secret –server Test | Format-Custom -View HashcatNT > output.txt

      • TT says:

        Michael, I tried the HashcatNT view option, but when I try to parse the file, I cannot assign variable to the split values. Any help is appreciated.

        $Users = Get-Content output.txt

        foreach ($User in $Users) {

        #This does NOT works
        $Username = ($User -split ‘:’)[0]
        #This outputs correct value, but not
        ($User -split ‘:’)[-1] I am trying to get the values to run command, but hash is not working.
        Set-SamAccountPasswordHash -SamAccountName $Username -Domain test -NTHash ($User -split ‘:’)[-1]

        • Michael Grafnetter says:

          Don’t use the HashcatNT view for this purpose and just do Get-ADDBAccount…| foreach {Set-SamAccountPasswordHash -SamAccountName $PSItem.SamAccountName …}

  40. Michael says:

    Seems like a really cool tool. Unfortunately for me, I get an unauthorizedaccessexception.

    Any ideas?

    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountComma

    • Michael Grafnetter says:

      Hi Michael, you apparently do not have the Replicating Directory Changes All permission.

  41. Aikido_Man says:

    I know this is an older post but I’m hoping you can still help.
    I’m able to pull the information I need from my server. How can I format the text to have SamAccountName NTHash.
    I’m using this command:
    Get-ADUser -SearchBase “OU=Admins,OU=company Users,DC=company,dc=com” -Filter * | Select-Object -Property ObjectGuid | Get-ADReplAccount -Server server1| select SamAccountName, @{Name = ‘NTHash’; Expression = {$PSItem.NTHash}}

    Problem is, it shows an ?array?
    UserA {247, 120, 183, 170…}
    UserB {183, 95, 226, 78…}
    UserC {103, 89, 154, 19…}

    Any Ideas How I can pull just the one hash that I can then run through hashcat.

    I’m trying to show my employer how weak our password policy is by cracking our own passwords. (maybe even his)

  42. Nico says:

    Dear Michael, I’ve looked at your source code but quite frankly this is on another level which I cannot possibly understand !
    I’d like to sync passwords via the NTLM hash between two ADs. Using the PS command this works perfectly, however I would like to write some C# code using your framework. Could you possible give some guidance on which dll’s I need to reference and the format of the commands to extract the hash on the source AD and then to set the hash in the target AD


    • Michael Grafnetter says:

      Hi Nico, you should use the DSInternals.SAM and DSInternals.DataStore NuGet packages.

  43. NKN says:

    Hello Michael,

    I’m getting the below error when trying to load the module ,I have ver3 on my machine.

    Import-Module : The specified module ‘.\DSInternals\’ was not loaded because no valid module file was found in any
    module directory.
    At line:1 char:1
    + Import-Module .\DSInternals\
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ResourceUnavailable: (.\DSInternals\:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

    • Michael Grafnetter says:

      When loading the module from non-default locations, path to the DSInternals.psd1 module manifest has to be provided.

  44. Ron Naeyaert says:


    Would this work for an ADLDS directory. If so what would the command look like to extract the hast for a user entry. The users are in ou=customers,ou=people,o=b2c.


    • Michael Grafnetter says:

      Hi Ron, I have not implemented support for AD LDS into this cmdlet yet, as its schema is very flexible when compared with AD and it uses a different (and undocumented) data structure to store hashes.

  45. I can not dump the password hashes of my ActiveDirectory

    my settings
    user: administrador
    pass: 1qaz2wsx..
    port: 636
    user Dn: cn=administrador,cn=users,dc=labti,dc=info
    base dn: dc=labti,dc=info
    windows server 2012
    powershell 5


    PS C:\Users\Administrador> Get-ADReplAccount -All -NamingContext ‘DC=labti,DC=info’ -Server LON-DC1
    Get-ADReplAccount : RPC server is unavailable

    PS C:\Users\Administrador> Get-ADReplAccount -SamAccountName ‘isaque.neves’ -Domain labti -Server LON-DC1 -Credential $c
    red -Protocol TCP
    Get-ADReplAccount : RPC server is unavailable

    • Michael Grafnetter says:

      Hi Isaque, that seems to be a firewall issue. The MS-DRSR protocol does not use LDAP. By default, you need TCP port 135 and 49152-65535 to be open.

  46. Andrei Galkin says:

    Hi Michael,

    You did great work. I have a question. Is there a way to get also password expire date with hashes or separately in DSInternals.


    • Michael Grafnetter says:

      Hi Andrei, this is currently not possible. You can mount a ntds.dit DB using dsamain.exe and get the pwdLastSet values. Expiration is complex, as you would need to analyse Fine-Grained Password Policies, not just the Default Domain Policy.

  47. Dime says:

    Hi Michael,

    what permission is required to run the script
    Get-ADReplAccount -All -Server $DC -NamingContext $Domain | Test-PasswordQuality ? domain admin only?


    • Michael Grafnetter says:

      The Replicating Directory Changes All permission is required, which is by default only assigned to Administrators (and DCs).

  48. goof says:

    good joob

  49. Rafael says:

    Hello Michael, great Job!!!
    Already installed, but have one question. I’m passing an internal audit, and they asking me if I can demonstrate ntds.dit file have only ntlm v2 or kerberos hashes. Is there any way to doit with this?

    • Michael Grafnetter says:

      Sure! Use the Test-PasswordQuality cmdlet to check if there are any LM hashes present in the DB. Just note that there is no such thing as NTLMv2 hash. The hash function is actually called NT OWF (=one-way function), but I prefer calling it NT hash.

  50. Aeias says:

    Hello Michael. You did a great job I need help setting up this script. I use the following settings:

    $ Passwords = “C: \ tmp \ pwd.txt”
    $ Params = @ {
         “All” = $ True
         “Server” = ‘my-dc1’
         “NamingContext” = ‘dc = contoso, dc = com’
    Get-ADReplAccount @Params | Test-PasswordQuality -WeakPasswordsFile $ Passwords -IncludeDisabledAccounts

    At the exit, I have:
    Passwords of these accounts have been found in the dictionary:

    How can I make the found password appear next to each user? If possible, tell me what the expression will look like.

    • Michael Grafnetter says:

      The feeature to display the cleartext passwords will be re-added in a future version.

  51. Panagiotis Tsiamis says:

    Hello Micheal, great tool! I have made an export of my active directory and successfully imported my data onto an openldap server.I now use your utillity to bring the passwords too but seems that all the hashes there will not work on openldap even if i follow password schemes like from:

    Any idea how should i convert this passwords in order openldap will accept them?

    Openldap accepts the following password schemes: If -h is specified, one of the following RFC 2307 schemes may be specified: {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}.

    Note that scheme names may need to be protected, due to { and }, from expansion by the user’s command interpreter.

    {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.

    {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.

    {CRYPT} uses the crypt(3).

    {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Unless {CLEARTEXT} is used, this flag is incompatible with option -g.

    Thanks and best regards

    • Michael Grafnetter says:

      Hi, none of those schemes you mention are compatible with AD password hashes. You should enable NTLM (uses MD4 hashes) or GSSAPI (uses kerberos, for which you need a KDC service).

  52. MikeD says:

    Hi Micheal, thanks for your work. I need your support. I’m using a script to synchronize passwords between two domains. I can’t do the job on the same script and I need to export the password and reimport them on the other domain. I exported NThash of some users in a csv file. I’m trying to reimport in the corresponding users on the other domain.

    foreach ($user in $UserList)
    #$hashes = Get-ADReplAccount -All -NamingContext $sourceDomainDN -Server $sourceDomainFQDN -Credential $sourceDomainCredential -Protocol TCP;
    $userhash = Get-ADReplAccount -SamAccountName $user.SamAccountName -Domain $sourceDomainNetBIOS -Server $sourceDomainFQDN -Credential $sourceDomainCredential -Protocol TCP;
    $hashes += $userhash
    $hashes | select SamAccountName,NThash | Export-Csv .\pwdsync\exphashes.csv -append -NoTypeInformation

    $hashes = import-csv -Path $ExportHashCSV

    $tobeSynced = Get-Content -Path $tobeSyncedpath
    $UserList=$tobeSynced|Get-ADuser -Server $targetDomainFQDN -Credential $targetDomainCredential

    # Loop through these users
    foreach ($user in $UserList)
    # Get the hash of the user in the hashes collection
    $currentUserHash = $hashes | ? {$_.saMAccountName -eq $user.SamAccountName};

    # Convert hash to string
    $NTHash = ([System.BitConverter]::ToString($currentUserHash.NTHash) -replace ‘-‘,”).ToLower(); when converting to string I’ve got this error:
    Cannot convert argument “value”, with value: “System.Byte[]”, for “ToString” to type “System.Byte[]”: “Cannot convert value “System.Byte[]” to type “System.Byte[]”. Error: “Cannot convert
    value “System.Byte[]” to type “System.Byte”. Error: “Input string was not in a correct format.”””

    I’m pretty sure I’m doing something wrong on exporting to csv. Do you have any idea?
    thanks for your support

    • Michael Grafnetter says:

      Hi, try converting the NTHash binary property into string using ConvertTo-Hex before exporting it.

  53. Paul says:

    Hello Michael,

    What are the security implications of using the Get-ADReplAccount cmdlet? Would someone potentially be able to sniff usable packets during a legitimate replication? Is the communication between the computer running the script and the DC it’s communicating with secure?

    Thank you for your support and work on this great tool.


    • Michael Grafnetter says:

      Hi Paul, the replication traffic is always encrypted at the RPC PDU level. Second layer of encryption is used when transferring secret attributes. The encryption keys are derived from the authentication layer (=Kerberos/NTLM). The Get-ADReplAccount cmdlet of course does in-memory decryption of all the data, including secret attributes (=password hashes). It should therefore only be executed from a secure computer. If you export the hashes to a file, that file should also be handled with security in mind.

  54. Mubarak says:

    Thanks for your work. what is the footprint can be left on DC? Any logs can be found on DC if someone used this Module.

    • Michael Grafnetter says:

      If you enable DS Access Logging, the the usage of extended permission {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} will be logged. You can also enable Diagnostic Logging of Replication Events in DC registry, which would give you more info on the objects replicated.

  55. Marc Leonard says:

    Hi Micheal, is there a possible way to store our domain Windows 10 password in to a variable in PowerShell. I have two domains with no trust but have all the same username and password on each domains. I am just trying to connect a network drive from one domain using the password credential of the windows 10 connected domain.

  56. Jake says:

    Hi Michael, having an issue where your set-samaccountpasswordhash cmdlet is not being able to connect to the domain. Getting the following error:

    Set-SamAccountPasswordHash : The specified domain either does not exist or could not be contacted
    At line:6 char:1
    + Set-SamAccountPasswordHash -SamAccountName testjna15b -Domain “ghs” – …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-SamAccountPasswordHash], ActiveDirectoryServerDownException
    + FullyQualifiedErrorId : System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException,DSInternals.PowerShell.Commands.SetSamAccountPasswordHashCommand I tried using “” or or just domain.

  57. John Williams says:

    I am doing a domain migration with a trust relationship established. I want to do a simple Get-ADReplAccount | Set-SamAccountPasswordHash but I get the error
    ConvertTo-Hex : Cannot bind argument to parameter ‘Input’ because it is null.

    Any suggestions?

  58. RDGR says:

    Michael – I am looking for a powershell command/script that can tell how many characters are being used in our AD user passwords. Is there a way to do this either through your DSInternals module or other method? RDGR

  59. Eskimo says:

    I´m stunned on why is so easy to get the clear text version of the password. I have an important question: How can we AVOID this?

    What measures can be taken, to block the offline AD DB attack? I know that sometimes, an insider attacker already being Admin is bad enough, but what i need is just a way to prevent admins from seeing the plain text password of the users… Right now, it´s a matter of not getting a bad situation worse, first admin rights and besides that, knowing all user´s passwords… how to avoid this?

    I´m not sure if I got coorectly, but even using WinServer2016 and changing RC4/MD5 to something stronger, removing LM and NTLM hashes it might be impossible to avoid the discovery of users´ passwords?

    • Michael Grafnetter says:

      That’s simple: Just don’t give non-Domain Admins access to domain controller hard drives or backups.

  60. Calvin says:

    On the output below, is Hash2 a legitimate LM hash? Its 32 characters, just like the NTHASH. Additionally, is Hash3 useful for any cracking, or is that to craft kerberos traffic?
    NTHash: Hash1
    Hash 01: Hash1
    Hash 01: Hash2?
    Key: Hash3?
    Salt: FQDNusername
    Flags: 0

    • Michael Grafnetter says:

      Hi, NT hashes ( = MD4) are much easier to crack than the salted MD5 hashes with multiple iterations. Hashes in LM history are randomly generated by DCs if LM hash storage is turned off. So they have no real value in most environments.

  61. Shah says:

    Hi Michael.. How can I list down or export user list for user that using same NTHash?

    • Michael Grafnetter says:

      … | Test-PasswordQuality | Select-Object -ExpandProperty DuplicatePasswordGroups | ForEach-Object { $PSItem -join ‘,’ }

      • Shah says:

        Hi Michael,

        I’m sorry because I not familiar with PowerShell command. i run the command line that you provide but i received below error. Actually i want to export Active Directory user that using same NTHash (which is i have what NTHash that i want from my test user) into *.csv file.

        PS C:\Program Files\WindowsPowerShell\Modules\DSInternals\3.1> … | Test-PasswordQuality | Select-Object -ExpandProperty
        DuplicatePasswordGroups | ForEach-Object { $PSItem -join ‘,’ }
        … : The term ‘…’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spell
        ing of the name, or if a path was included, verify that the path is correct and try again.
        At line:1 char:1
        + … | Test-PasswordQuality | Select-Object -ExpandProperty DuplicatePas …
        + ~
        + CategoryInfo : ObjectNotFound: (…:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

        • Michael Grafnetter says:

          You of course replace the 3 dots (…) with the Get-ADReplAccount or Get-ADDBAccount cmdlet with proper parameters. See the documentation for more examples.

  62. guser1 says:

    hi Michael I do hold you in high esteem.. I need your help I tried to do some test using DSInternals bur to no avail.
    PS C:\Users\user1> Get-ADReplAccount -SamAccountName user1 -Domain testdomain -Server DC-1 -Credential $cred -Protocol TCP
    Get-ADReplAccount : Replication access was denied
    At line:1 char:1
    + Get-ADReplAccount -SamAccountName user1 -Domain testdomain -Server DC …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADReplAccount], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.PowerShell.Commands.GetADReplAccountComma
    nd Why do I get ” Replication access was denied” error?
    Also I’d like to get in touch with you personally Is that possible?
    thanks a lot

    • Michael Grafnetter says:

      Hi, you are getting Access Denied. That typically means you do not have the “Replicating Directory Changes All” permission.

  63. Fernando says:

    Michael, Is it possible to export AD user info including pwd and import them into an AD LDS?

  64. Vladimir says:

    I create this file.
    $PSDefaultParameterValues[‘*:Encoding’] = ‘utf8’
    Import-Module DSInternals
    $cred = Get-Credential
    $NewUsersList=Import-CSV “F:\exports\user1.csv”
    ForEach ($User in $NewUsersList) {
    Get-ADReplAccount -SamAccountName $sAMAccountName -Domain Premiere -Server -Credential $cred -Protocol TCP | out-file -Filepath ‘F:\exports\allusers-hash.txt’ -Append

  65. Sander says:

    Michael, hello! I ask you to help me, please! I just can’t figure out the script that can get the ntds.dit file from AD to check password hashes for leaks on (locally or online).

  66. Rich says:

    Michael, so far the code you created is looking very promising for doing what I’m trying to do but I could really use a bit of help getting to the finish line. We are looking into switching from using AD to a Custom Identity Management Database but I need to be able to export the users Passwords to text or know exactly how they are encrypted so that I can finish creating a stored procedure to authenticate the users from our website. Here is the command that I have been trying to work with. Get-ADReplAccount -SamAccountName 426037 -Domain XXXX -Server XXXXXXX | Format-Custom -View HashcatNT and here is the output.
    Can you help me get the info I require?

  67. silverfox says:

    I am running this on the win2016 server and I get this error

    Get-ADReplAccount : There are no more endpoints available from the endpoint mapper

  68. Apoorv says:

    Hi Michael if you can provide a Powershell that can identify all ID in AD that has the read role for password hash.;

    • Michael Grafnetter says:

      The permission is Replicating Directory Changes All at the domain level. I currently do not have a PS script for that.

Leave a Reply

Your email address will not be published.