Support for remote call

[arsalanaltaf432]

I'm working on Active Directory password synchronization using DSInternals. It's working perfectly in the local call. I want to know either DSInternals support remote calls for

• Online Active Directory Operations for following commands
  1. Get-ADReplAccount
  2. Set-SamAccountPasswordHash
     • Offline Active Directory Operations for following commands
  3. Get-ADDBAccount
  4. Set-ADDBAccountPassword

If it supports it, how can we connect to the DSInternals module remotely using PowerShell?

[MichaelGrafnetter]

My advice is that you should not do it in the first place, as Set-SamAccountPasswordHash does not support Kerberos keys because of API limitations. And I would definitely not implement it in PowerShell, but I would instead use C# with DSInternals NuGet packages. But to answer your question, both Get-ADReplAccount and Set-SamAccountPasswordHash can connect to remote DCs if you provide a DC name and if you have the permissions required.

[arsalanaltaf432]

Thanks, Michael. I'll get back to you if I have any other queries.

[CamFlyerCH]

@arsalanaltaf432 I built a password synchronization years ago using DS-Internals and it was very useful in some AD to AD migration projects. But there is also a big issue: When the NTLM password hash is written to an account, the AES hashes are gone and there are none. The user can use the synced password to login, but when he want to change it (for example via Ctrl, Alt & Del) he receives an encryption error message. To perform the password change the AES keys are needed. I am not sure from witch OS Version this was mandatory, but synchronized NTLM hashes for normal users was not an option anymore. It could work for other use cases, but I agree with Michael, that this is not a good option.

Regarding password sync: To facilitate AD to AD migration projects regarding user passwords, I developed a password synchronization based on a password filter DLL on the domain controller to "grab" the password during a password change and write it to the new domain. The write is done via a PowerShell script that first performs different checks and filtering (find target account, check if AdminCount is not 1 and some more specialized filtering to avoid looping in an bidirectional sync scenario.) Since this was developed for my company I can't share this publicly. But these These projects inspired me: https://sourceforge.net/projects/passwdhk/ https://github.com/raandree/ManagedPasswordFilter https://github.com/GoSecure/DLLPasswordFilterImplant

[arsalanaltaf432]

@arsalanaltaf432 I built a password synchronization years ago using DS-Internals and it was very useful in some AD to AD migration projects. But there is also a big issue: When the NTLM password hash is written to an account, the AES hashes are gone and there are none. The user can use the synced password to login, but when he want to change it (for example via Ctrl, Alt & Del) he receives an encryption error message. To perform the password change the AES keys are needed. I am not sure from witch OS Version this was mandatory, but synchronized NTLM hashes for normal users was not an option anymore. It could work for other use cases, but I agree with Michael, that this is not a good option.

Regarding password sync: To facilitate AD to AD migration projects regarding user passwords, I developed a password synchronization based on a password filter DLL on the domain controller to "grab" the password during a password change and write it to the new domain. The write is done via a PowerShell script that first performs different checks and filtering (find target account, check if AdminCount is not 1 and some more specialized filtering to avoid looping in an bidirectional sync scenario.) Since this was developed for my company I can't share this publicly. But these These projects inspired me: https://sourceforge.net/projects/passwdhk/ https://github.com/raandree/ManagedPasswordFilter https://github.com/GoSecure/DLLPasswordFilterImplant

Thanks, @CamFlyerCH an important point, I'll have a look into that.