set-samaccountpasswordhash : Access is denied

MichaelGrafnetter / DSInternals

Directory Services Internals (DSInternals) PowerShell Module and Framework

https://www.dsinternals.com

MIT License

1.62k stars 250 forks source link

set-samaccountpasswordhash : Access is denied #150

Open xorded opened 1 year ago

xorded commented 1 year ago

i can execute the Get-ADReplAccount without an issue. the user being used is an ad domain admin

set-samaccountpasswordhash -domain westworld -samaccountname adadminuser -nthash ba17e001e5467d85d16ae7247947929c -server W8AAAADS01

set-samaccountpasswordhash : Access is denied At line:1 char:1

set-samaccountpasswordhash -domain westworld -samaccountname adadminuser ...


+ CategoryInfo          : NotSpecified: (:) [Set-SamAccountPasswordHash],
UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.P
owerShell.Commands.SetSamAccountPasswordHashCommand

any ideas on why this is happening or how to solve it ?

MichaelGrafnetter commented 1 year ago

Hard to tell. Is the powershell.exe elevated (Run as Administrator)?

xorded commented 1 year ago

Hard to tell. Is the powershell.exe elevated (Run as Administrator)?

yes

MichaelGrafnetter commented 1 year ago

OK. What about Get-SamPasswordPolicy -Domain westworld, does it work? And net user /domain? Had NetCease been applied to that environment? Or any other hardening? Does the Security log on the DC tell you anything, if you enable all Advanced Auditing categories?

xorded commented 1 year ago

MinPasswordLength : 8 ComplexityEnabled : True ReversibleEncryptionEnabled : False MaxPasswordAge : 31.00:00:00 MinPasswordAge : 8.00:00:00 PasswordHistoryCount : 24

net user also works fine, i even changed the password expiry with wmic and same domain admin user

its a red team so i actually stopped the auditing, i found another way to set the hash with smbpasswd but i am just confused as to what would block your set-samaccountpasswordhash

MichaelGrafnetter commented 1 year ago

That is strange. I only have a limited AD lab, just re-tested the cmdlet and had no issues. If you figure it out, keep me posted, pls. I would also be curious what mimikatz lsadump::setntlm does, as it seems to be using the same function.

xorded commented 1 year ago

do you know what type of permissions are needed by set-samaccountpassword hash , maybe i can check the permissions or something

MichaelGrafnetter commented 1 year ago

Only the Reset password permission should be required. Just tested it in a clean AD environment with a fully updated Windows Server 2022 21H2 DC:

Command:

Set-SamAccountPasswordHash -SamAccountName joe -Domain contoso -NTHash e19ccf75ee54e06b06a5907af13cef42 -Server dc.contoso.com