Releases: MichaelGrafnetter/DSInternals
DSInternals PowerShell Module 5.0
Notable Changes
Salvaging BitLocker recovery keys from ntds.dit files
This new capability might be especially useful in disaster recovery scenarios, when AD is not yet fully operational.
PS C:\> Get-ADDBBitLockerRecoveryInformation -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit'
<# Sample Output:
ComputerName RecoveryGuid RecoveryPassword
------------ ------------ ----------------
PC01 704b1998-54ea-4899-8f46-81628b6a0731 366561-423260-035024-137224-631070-580492-357566-596908
PC02 caeaa622-6c6a-4d2b-8e33-29e46df659af 782066-216356-283624-291397-405614-078166-321530-943804
#>Reconstructing DNS zone files from ntds.dit files
All types of DNS resource records can be extracted from ntds.dit files containing AD-integrated DNS zones. The records can then be saved to zone files or sent to REST APIs, e.g., Azure DNS. This new capability might be especially useful in disaster recovery scenarios, when AD is not yet fully operational.
PS C:\> Get-ADDBDnsResourceRecord -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' |
Where-Object Zone -eq 'contoso.com' |
Where-Object Type -in SOA,NS,A,CNAME,MX |
Sort-Object -Property Name
<# Sample Output:
@ 3600 IN SOA dc01.contoso.com. hostmaster.contoso.com. (
186 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; default TTL
@ 3600 IN NS dc01.contoso.com.
@ 3600 IN NS dc02.contoso.com.
@ 600 IN A 10.213.0.3
@ 600 IN A 10.213.0.9
_msdcs 3600 IN NS dc01.contoso.com.
certauth.login 3600 IN A 10.213.0.4
dc01 3600 IN A 10.213.0.3
dc02 3600 IN A 10.213.0.9
ftp 3600 IN CNAME www
login 3600 IN A 10.213.0.4
#>Support for LAPS and other attributes
Legacy LAPS and Windows LAPS cleartext passwords can now be extracted from ntds.dit files, together with many additional user and computer attributes, including contact information, organizational structure, and OS versions. For large databases, the performance can be improved by selecting which property sets should be fetched and decrypted.
PS C:\> $key = Get-BootKey -SystemHiveFilePath 'C:\IFM Backup\registry\SYSTEM'
PS C:\> Get-ADDBAccount -SamAccountName 'PC01$' `
-BootKey $key `
-Properties All `
-DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit'
<# Sample Output:
DistinguishedName: CN=PC01,CN=Computers,DC=contoso,DC=com
SamAccountName: PC01$
Enabled: True
Deleted: False
Sid: S-1-5-21-2072841070-1873892158-2095746001-1104
Guid: 34017f6d-a264-4681-8738-09780122884f
SamAccountType: Computer
UserAccountControl: WorkstationAccount
DNSHostName: PC01.contoso.com
OperatingSystem: Windows 11 Enterprise
OperatingSystemVersion: 10.0 (26100)
Description: John's computer
ManagedBy: CN=John Doe,OU=Employees,DC=contoso,DC=com
PrimaryGroupId: 515
Location: USA/WA/Seattle
SidHistory:
SupportedEncryptionTypes: RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
ServicePrincipalName: {HOST/PC01.contoso.com, RestrictedKrbHost/PC01.contoso.com, HOST/PC01, RestrictedKrbHost/PC01...}
LastLogonDate: 1/27/2025 9:22:36 AM
PasswordLastSet: 1/22/2025 9:23:45 PM
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
LAPS
Password: A6a3#7%eb!57be, Expires: 1/24/2025 9:12:27 PM
Key Credentials
Usage: NGC, Source: AD, Device: , Created: 11/23/2024 10:58:30 PM
Secrets
NTHash: 0ec8485560274b5352fab8085f83f5cf
LMHash:
NTHashHistory:
Hash 01: 0ec8485560274b5352fab8085f83f5cf
Hash 02: d3981b0fa179f60b3eac48ea0aa06b62
Hash 03: f6ab2345d24e09993c972087d189a365
LMHashHistory:
Hash 01: ecb0097500ffd72b005071e31a237ed5
Hash 02: 1d16a311401fba1f5d95090cb4fcacdb
Hash 03: 1224652b76e22751d79a06a7ce796e56
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA384_192
Key: f97e0809c70a0c88aa5e6bc2d891f44e56ded641425a9bb0e9468f83a89b23d1
Iterations: 4096
...
#>Export format selection
Instead of using the Format-Custom cmdlet, the desired output format of objects fetched through the replication protocol or decrypted from ntds.dit files can now be selected using the optional -ExportFormat parameter.
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key -ExportFormat PwDump |
Where-Object SamAccountType -eq User |
Where-Object Enabled -eq $true |
Where-Object NTHash -ne $null |
Out-File -FilePath users.pwdump -Encoding ascii
<# Sample file contents:
Administrator:500:727e3576618fa1754a3b108f3fa6cb6d:92937945b518814341de3f726500d4ff:::
john:1110:NO LM-HASH**********************:92937945b518814341de3f726500d4ff:::
sophos:1111:NO LM-HASH**********************:e08e7f5ad3b9274ca98867343ddea7bd:::
martinez:1115:NO LM-HASH**********************:1d4f8d7a1d8e84e476503577b05b22e6:::
jacobs:1117:NO LM-HASH**********************:3abf11b25d9e1874776c6d5b4889b8af:::
wiley:1183:NO LM-HASH**********************:c6064843430f017c6818ac5eee3e6016:::
simmons:1195:NO LM-HASH**********************:71659e8aba59f027d594977f7fe2a570:::
svc_sql_hr_prod:1223:NO LM-HASH**********************:31d6cfe0d16ae931b73c59d7e0c089c0:::
#>See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
DSInternals PowerShell Module 4.16
Notable Changes
The New-ADDBRestoreFromMediaScript cmdlet now properly sets the Configuration NC, Root Domain, and Machine DN Name registry values under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
DSInternals PowerShell Module 4.15.1
Notable Changes
This is a PowerShell-only bugfix release.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
DSInternals PowerShell Module 4.15
Notable Changes
- Implemented support for individual
*.txtfiles from HIBP in the Test-PasswordQuality cmdlet. Kudos to @aseigler. - The New-ADDBRestoreFromMediaScript cmdlet now generates a more robust DC recovery script.
- The Add-ADDBSidHistory cmdlet has been removed to prevent it from being used in migration scenarios.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Version 4.15 is a PowerShell-only release. Previous library versions are available at the NuGet Gallery.
Contributors
Assets 3
DSInternals PowerShell Module 4.14
Notable Changes
- Minor credential roaming parser improvement.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
DSInternals PowerShell Module 4.13
Notable Changes
This is a bugfix release. The Set-LsaPolicyInformation cmdlet now generates the UNICODE_STRING structure with the trailing null character, to improve compatibility with NETLOGON. This issue mainly affects the functionality of the New-ADDBRestoreFromMediaScript cmdlet. Thanks, Christoffer Andersson, for reporting this issue. And sorry, Microsoft support escalation engineers, for the trouble this bug has caused.
If you ever restored a DC from an IFM backup using DSInternals, you need to re-run the Set-LsaPolicyInformation cmdlet with the right parameters on that DC.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
DSInternals PowerShell Module 4.12
Notable Changes
- Added support for Windows Server 2025 Insider Preview domain controllers with the 32k database page size optional feature enabled.
- Improved KDS Root Key selection algorithm in the Get-ADDBServiceAccount cmdlet.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
DSInternals PowerShell Module 4.11
Notable Changes
- Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
- Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
DSInternals PowerShell Module 4.10
Notable Changes
- The Test-PasswordQuality cmdlet now checks if a user's password is equal to their SamAccountName attribute, thanks to @bluecurby.
- Replication cmdlets in the PowerShell module should now work on the ARM64 platform as well. Tests were performed using the Windows Dev Kit 2023, AKA Project Volterra.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.
Contributors
Assets 3
DSInternals PowerShell Module 4.9
Notable Changes
- The Get-BootKey cmdlet should now be able to read inconsistent/corrupted SYSTEM registry hives.
- Implemented the FIPS compliance requirement and operating system checks.
See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.