Notable Changes
Salvaging BitLocker recovery keys from ntds.dit files
This new capability might be especially useful in disaster recovery scenarios, when AD is not yet fully operational.
PS C:\> Get-ADDBBitLockerRecoveryInformation -All -DatabasePath '.\ADBackup\Active Directory\ntds.dit'
<# Sample Output:
ComputerName RecoveryGuid RecoveryPassword
------------ ------------ ----------------
PC01 704b1998-54ea-4899-8f46-81628b6a0731 366561-423260-035024-137224-631070-580492-357566-596908
PC02 caeaa622-6c6a-4d2b-8e33-29e46df659af 782066-216356-283624-291397-405614-078166-321530-943804
#>Reconstructing DNS zone files from ntds.dit files
All types of DNS resource records can be extracted from ntds.dit files containing AD-integrated DNS zones. The records can then be saved to zone files or sent to REST APIs, e.g., Azure DNS. This new capability might be especially useful in disaster recovery scenarios, when AD is not yet fully operational.
PS C:\> Get-ADDBDnsResourceRecord -DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit' |
Where-Object Zone -eq 'contoso.com' |
Where-Object Type -in SOA,NS,A,CNAME,MX |
Sort-Object -Property Name
<# Sample Output:
@ 3600 IN SOA dc01.contoso.com. hostmaster.contoso.com. (
186 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; default TTL
@ 3600 IN NS dc01.contoso.com.
@ 3600 IN NS dc02.contoso.com.
@ 600 IN A 10.213.0.3
@ 600 IN A 10.213.0.9
_msdcs 3600 IN NS dc01.contoso.com.
certauth.login 3600 IN A 10.213.0.4
dc01 3600 IN A 10.213.0.3
dc02 3600 IN A 10.213.0.9
ftp 3600 IN CNAME www
login 3600 IN A 10.213.0.4
#>Support for LAPS and other attributes
Legacy LAPS and Windows LAPS cleartext passwords can now be extracted from ntds.dit files, together with many additional user and computer attributes, including contact information, organizational structure, and OS versions. For large databases, the performance can be improved by selecting which property sets should be fetched and decrypted.
PS C:\> $key = Get-BootKey -SystemHiveFilePath 'C:\IFM Backup\registry\SYSTEM'
PS C:\> Get-ADDBAccount -SamAccountName 'PC01$' `
-BootKey $key `
-Properties All `
-DatabasePath 'C:\IFM Backup\Active Directory\ntds.dit'
<# Sample Output:
DistinguishedName: CN=PC01,CN=Computers,DC=contoso,DC=com
SamAccountName: PC01$
Enabled: True
Deleted: False
Sid: S-1-5-21-2072841070-1873892158-2095746001-1104
Guid: 34017f6d-a264-4681-8738-09780122884f
SamAccountType: Computer
UserAccountControl: WorkstationAccount
DNSHostName: PC01.contoso.com
OperatingSystem: Windows 11 Enterprise
OperatingSystemVersion: 10.0 (26100)
Description: John's computer
ManagedBy: CN=John Doe,OU=Employees,DC=contoso,DC=com
PrimaryGroupId: 515
Location: USA/WA/Seattle
SidHistory:
SupportedEncryptionTypes: RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
ServicePrincipalName: {HOST/PC01.contoso.com, RestrictedKrbHost/PC01.contoso.com, HOST/PC01, RestrictedKrbHost/PC01...}
LastLogonDate: 1/27/2025 9:22:36 AM
PasswordLastSet: 1/22/2025 9:23:45 PM
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
LAPS
Password: A6a3#7%eb!57be, Expires: 1/24/2025 9:12:27 PM
Key Credentials
Usage: NGC, Source: AD, Device: , Created: 11/23/2024 10:58:30 PM
Secrets
NTHash: 0ec8485560274b5352fab8085f83f5cf
LMHash:
NTHashHistory:
Hash 01: 0ec8485560274b5352fab8085f83f5cf
Hash 02: d3981b0fa179f60b3eac48ea0aa06b62
Hash 03: f6ab2345d24e09993c972087d189a365
LMHashHistory:
Hash 01: ecb0097500ffd72b005071e31a237ed5
Hash 02: 1d16a311401fba1f5d95090cb4fcacdb
Hash 03: 1224652b76e22751d79a06a7ce796e56
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA384_192
Key: f97e0809c70a0c88aa5e6bc2d891f44e56ded641425a9bb0e9468f83a89b23d1
Iterations: 4096
...
#>Export format selection
Instead of using the Format-Custom cmdlet, the desired output format of objects fetched through the replication protocol or decrypted from ntds.dit files can now be selected using the optional -ExportFormat parameter.
PS C:\> Get-ADDBAccount -All -DatabasePath ntds.dit -BootKey $key -ExportFormat PwDump |
Where-Object SamAccountType -eq User |
Where-Object Enabled -eq $true |
Where-Object NTHash -ne $null |
Out-File -FilePath users.pwdump -Encoding ascii
<# Sample file contents:
Administrator:500:727e3576618fa1754a3b108f3fa6cb6d:92937945b518814341de3f726500d4ff:::
john:1110:NO LM-HASH**********************:92937945b518814341de3f726500d4ff:::
sophos:1111:NO LM-HASH**********************:e08e7f5ad3b9274ca98867343ddea7bd:::
martinez:1115:NO LM-HASH**********************:1d4f8d7a1d8e84e476503577b05b22e6:::
jacobs:1117:NO LM-HASH**********************:3abf11b25d9e1874776c6d5b4889b8af:::
wiley:1183:NO LM-HASH**********************:c6064843430f017c6818ac5eee3e6016:::
simmons:1195:NO LM-HASH**********************:71659e8aba59f027d594977f7fe2a570:::
svc_sql_hr_prod:1223:NO LM-HASH**********************:31d6cfe0d16ae931b73c59d7e0c089c0:::
#>See the Changelog for a more detailed list of new features.
PowerShell Module
Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.
PowerShell Gallery
The PowerShell module is also available on Microsoft's PowerShell Gallery.
Chocolatey
An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.
NuGet Gallery
Official binary packages are available at NuGet Gallery.