Tool functionality when AD passwords are salted

MichaelGrafnetter / DSInternals

Directory Services Internals (DSInternals) PowerShell Module and Framework

https://www.dsinternals.com

MIT License

1.62k stars 250 forks source link

Tool functionality when AD passwords are salted #143

Closed manulalath closed 2 years ago

manulalath commented 2 years ago

Hello There,

How this tools works when the AD password is salted especially during cross forest password quality test.

Thanks Manu.

MichaelGrafnetter commented 2 years ago

Hi @manulalath , I am not sure which exact command do you have in mind. The Set-SamAccountPasswordHash cmdlet only sets NT hashes, which are definitely not salted. The Set-ADDBAccountPasswordHash cmdlet also sets Kerberos AES keys, including the salt, which is then sent by the KDC to the client, so there is no issue either.

manulalath commented 2 years ago

Thanks @MichaelGrafnetter , I indeed use Get-ADReplAccount to test the password quality in cross forest domains. Want to understand cross forest password quality checks works 100% when one of the domain or some case both domain passwords are salted? Appreciate your response.

MichaelGrafnetter commented 2 years ago

OK, now I understand the question. The Test-PasswordQuality cmdlet only compares NT hashes, which are NOT salted. So no problem there. Sample code:

$accountsA = Get-ADReplAccount ...
$accountsB = Get-ADReplAccount ...
@($accountsA + $accountsB) | Test-PasswordQuality ...

manulalath commented 2 years ago

Make sense, thanks @MichaelGrafnetter