List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: SV: [ActiveDir] Powershell and AD password hashes

Prev Next

You are not authorized to post a reply.

Author

Messages

Christoffer Andersson User is Offline

Posts:0

12/17/2009 12:57 AM
Password Hashes can be accessed from in memory (in LSASS). Password Hashes stored in the directory is secured at the database layer using a PEK (Password Encryption Key) all DCs has different PEKs (Stored in a none replicated attribute) generated using the SYSKEY of the DC. There is no public APIs to either encrypt/decrypt the PEK or the Password Hashes stored in the database. Regards ChristofferAndersson TrueSec- Executive Consultant Microsoft MVP - Directory Services ------------------------------------------------ http://www.chrisse.se<mhtml:{DDF5581A-FFA5-4D57-888A-78F731B0266E}mid://00000058/!x-usc:http://www.chrisse.se/> - Active Directory Site http://blogs.chrisse.se - Blog ________________________________ Från: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] för Sabharanjak, Ravi [Ravi.Sabharanjak@blackrock.com] Skickat: den 16 december 2009 22:41 Till: activedir@mail.activedir.org Ämne: RE: [ActiveDir] Powershell and AD password hashes i thought this was not possible, and the directory did not allow access to even the hashed password for security. is that not true? ________________________________ From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brandon Shell Sent: Wednesday, December 16, 2009 1:21 PM To: activedir@mail.activedir.org Subject: Re: [ActiveDir] Powershell and AD password hashes There is nothing built-in but it is a programing language with access to the .NET (which also includes native APIs) I suspect it would be possible but why? On Wed, Dec 16, 2009 at 3:59 PM, Al Lilianstrom <lilstrom@fnal.gov<mailto:lilstrom@fnal.gov>> wrote: Had a meeting with Microsoft today and the presenter stated that there is a way using PowerShell to extract the password hash for a user (all users) from one AD and copy them to another AD for the same user(s). I'm new to PS but in doing some research I can't seem to find a function for this. Any advice would be great. thanks, al -- Al Lilianstrom CD/LSC/CSI/ADS lilstrom@fnal.gov<mailto:lilstrom@fnal.gov> THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND MAY BE PRIVILEGED. If this message was misdirected, BlackRock, Inc. and its subsidiaries, ("BlackRock") does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BlackRock, unless the author is authorized by BlackRock to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BlackRock. Although BlackRock operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > SV: [ActiveDir] Powershell and AD password hashes

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads