github MichaelGrafnetter/DSInternals v5.4.1
DSInternals PowerShell Module 5.4.3
on GitHub

latest releases: v6.1.1, v6.1, v6.0.1...
one month ago

Notable Changes

Encrypted Windows LAPS Password Recovery

The Get-ADDBAccount cmdlet can now decrypt all Windows LAPS passwords using KDS Root Keys in offline mode, including msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory, msLAPS-EncryptedDSRMPassword, and msLAPS-EncryptedDSRMPasswordHistory attributes. This enables LAPS password retrieval even during Active Directory disaster recovery scenarios.

Example: 

Get-ADDBAccount -DatabasePath 'C:\ADBackup\ntds.dit' -All -Properties LAPS |
    Select-Object -ExpandProperty LapsPasswords

Sample output: 

ComputerName Account       Password                 Expires   Source
------------ -------       --------                 -------   -----
DC01         Administrator PluralTrimmingSuggest    2/3/2025  EncryptedDSRMPassword
DC02         Administrator RoundupFructoseRoundworm 2/3/2025  EncryptedDSRMPassword
ADFS01       WLapsAdmin    HerbsSkidUnproven        2/3/2025  EncryptedPassword
PC01         Administrator A6a3#7%eb!57be4a4B95Z433 1/24/2025 CleartextPassword

Note that a similar feature is available from Microsoft in Windows Insider build 27695 and later. This feature also requires RSAT to be installed and currently has some compatibility issues with VM Generation ID.

Offline Golden dMSA

The Get-ADDBServiceAccount cmdlet now retrieves both msDS-GroupManagedServiceAccount (gMSA) and msDS-DelegatedManagedServiceAccount (dMSA) object types from ntds.dit files and calculates their current managed passwords using KDS Root Keys.

Example: 

Get-ADDBServiceAccount -DatabasePath 'C:\ADBackup\ntds.dit'

Sample output: 

DistinguishedName: CN=svc_adfs,CN=Managed Service Accounts,DC=contoso,DC=com
Sid: S-1-5-21-2468531440-3719951020-3687476655-1109
Guid: 53c845f7-d9cd-471b-a364-e733641dcc86
SamAccountName: svc_adfs$
Description: ADFS Service Account
Enabled: True
Deleted: False
UserAccountControl: WorkstationAccount
SupportedEncryptionTypes: RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
ServicePrincipalName: {http/login.contoso.com, host/login.contoso.com}
WhenCreated: 9/9/2023 5:02:05 PM
PasswordLastSet: 9/9/2023 5:02:06 PM
ManagedPasswordInterval: 30
ManagedPasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=9/9/2023 10:00:00 AM (L0=361, L1=26, L2=24)
ManagedPasswordPreviousId:
KDS Derived Secrets
  EffectivePasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=6/25/2025 8:00:00 PM (L0=363, L1=11, L2=29)
  NTHash: 0b5fbfb646dd7bce4f160ad69edb86ba
  Kerberos Keys
    AES256_CTS_HMAC_SHA1_96
      Key: 5dcc418cd0a30453b267e6e5b158be4b4d80d23fd72a6ae4d5bd07f023517117
      Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
      Key: 8e1e66438a15d764ae2242eefd15e09a
      Iterations: 4096

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Known Issues

The PowerShell module was originally released under version 5.4.1, but had to be re-packaged as 5.4.3, due to a broken signature of Microsoft's NuGet packages. The release of DSInternals Chocolatey and NuGet packages has been postponed until this issue gets resolved.

Check out latest releases or
releases around MichaelGrafnetter/DSInternals v5.4.1

Don't miss a new DSInternals release

NewReleases is sending notifications on new releases.

Get notifications