PWDump and documentation improvements

Documentation/CHANGELOG.md

@@ -1,15 +1,17 @@
 # Changelog
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [3.4] - 2019-04-21
+## [3.4] - 2019-04-23
 
 ### Added
 - The [Test-PasswordQuality](PowerShell/Test-PasswordQuality.md) cmdlet now has a parameter called `-WeakPasswordHashesSortedFile`. This parameter should be used with ordered hash files downloaded from [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) as it has huge performance benefits over the older `-WeakPasswordHashesFile` parameter due to the usage of binary search algorithm.
 - The [Test-PasswordQuality](PowerShell/Test-PasswordQuality.md) cmdlet now has a proper documentation, including usage examples.
 
 ### Fixed
+  - The PWDump export format is now more compatible with some 3rd party tools, e.g. ElcomSoft Distributed Password Recovery, although the ASCII encoding still must be enforced.
   - The speed of processing the `-WeakPasswordHashesFile` and `-WeakPasswordsFile` parameters of the [Test-PasswordQuality](PowerShell/Test-PasswordQuality.md) cmdlet has significantly been increased.
   - Parsing of roamed credentials is now slightly faster.
+  - Documentation improvements!
 
 ## [3.3] - 2019-03-02
 ### Changed

Documentation/PowerShell/ConvertTo-Hex.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # ConvertTo-Hex
 
 ## SYNOPSIS
-Helper cmdlet that converts binary input to hexadecimal string.
+Helper cmdlet that converts binary input to a hexadecimal string.
 
 ## SYNTAX
 

Documentation/PowerShell/ConvertTo-OrgIdHash.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # ConvertTo-OrgIdHash
 
 ## SYNOPSIS
-Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.
+Calculates OrgId hash of a given password. Used by Azure Active Directory Connect.
 
 ## SYNTAX
 

Documentation/PowerShell/Get-ADReplAccount.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Get-ADReplAccount
 
 ## SYNOPSIS
-Reads one or more accounts through the DRSR protocol, including secret attributes.
+Reads one or more accounts through the MS-DRSR protocol, including secret attributes.
 
 ## SYNTAX
 

Documentation/PowerShell/Get-ADReplBackupKey.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Get-ADReplBackupKey
 
 ## SYNOPSIS
-Reads the DPAPI backup keys through the DRSR protocol.
+Reads the DPAPI backup keys through the MS-DRSR protocol.
 
 ## SYNTAX
 

Documentation/PowerShell/Get-ADSIAccount.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Get-ADSIAccount
 
 ## SYNOPSIS
-Gets all Active Directory user accounts from a given domain controller using ADSI. 
+Gets all Active Directory user accounts from a given domain controller using ADSI. Typically used for Credential Roaming data retrieval through LDAP.
 
 ## SYNTAX
 

Documentation/PowerShell/Readme.md

@@ -6,97 +6,24 @@ Help Version: 1.0
 Locale: en-US
 ---
 
-# DSInternals Module
+# DSInternals PowerShell Module
+
 ## Description
-The DSInternals PowerShell Module exposes several internal and undocumented features of Active Directory.
+The DSInternals PowerShell Module exposes several internal features of Active Directory. These include offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
 
-## DSInternals Cmdlets
-### [Add-ADDBSidHistory](Add-ADDBSidHistory.md)
-Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
-
-### [ConvertFrom-ADManagedPasswordBlob](ConvertFrom-ADManagedPasswordBlob.md)
-Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.
-
-### [ConvertFrom-GPPrefPassword](ConvertFrom-GPPrefPassword.md)
-Decodes a password from the format used by Group Policy Preferences.
-
-### [ConvertFrom-UnicodePassword](ConvertFrom-UnicodePassword.md)
-Decodes a password from the format used in unattend.xml files.
-
-### [ConvertTo-GPPrefPassword](ConvertTo-GPPrefPassword.md)
-Converts a password to the format used by Group Policy Preferences.
-
-### [ConvertTo-Hex](ConvertTo-Hex.md)
-Helper cmdlet that converts binary input to hexadecimal string.
-
-### [ConvertTo-KerberosKey](ConvertTo-KerberosKey.md)
-Computes Kerberos keys from a given password using Kerberos version 5 Key Derivation Functions.
-
-### [ConvertTo-LMHash](ConvertTo-LMHash.md)
-Calculates LM hash of a given password.
-
-### [ConvertTo-NTHash](ConvertTo-NTHash.md)
-Calculates NT hash of a given password.
-
-### [ConvertTo-OrgIdHash](ConvertTo-OrgIdHash.md)
-Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.
-
-### [ConvertTo-UnicodePassword](ConvertTo-UnicodePassword.md)
-Converts a password to the format used in unattend.xml or *.ldif files.
-
-### [Disable-ADDBAccount](Disable-ADDBAccount.md)
-Disables an Active Directory account in an offline ntds.dit file.
-
-### [Enable-ADDBAccount](Enable-ADDBAccount.md)
-Enables an Active Directory account in an offline ntds.dit file.
+## Cmdlets for Offline Active Directory Operations
 
 ### [Get-ADDBAccount](Get-ADDBAccount.md)
 Reads one or more accounts from a ntds.dit file, including secret attributes.
 
-### [Get-ADDBBackupKey](Get-ADDBBackupKey.md)
-Reads the DPAPI backup keys from a ntds.dit file.
+### [Enable-ADDBAccount](Enable-ADDBAccount.md)
+Enables an Active Directory account in an offline ntds.dit file.
 
-### [Get-ADDBDomainController](Get-ADDBDomainController.md)
-Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
+### [Disable-ADDBAccount](Disable-ADDBAccount.md)
+Disables an Active Directory account in an offline ntds.dit file.
 
-### [Get-ADDBKdsRootKey](Get-ADDBKdsRootKey.md)
-Reads KDS Root Keys from a ntds.dit. file. Can be used to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
-
-### [Get-ADDBSchemaAttribute](Get-ADDBSchemaAttribute.md)
-Reads AD schema from a ntds.dit file, including datatable column names.
-
-### [Get-ADKeyCredential](Get-ADKeyCredential.md)
-Creates an object representing Windows Hello for Business credentials from its binary representation or an X.509 certificate.
-
-### [Get-ADReplAccount](Get-ADReplAccount.md)
-Reads one or more accounts through the DRSR protocol, including secret attributes.
-
-### [Get-ADReplBackupKey](Get-ADReplBackupKey.md)
-Reads the DPAPI backup keys through the DRSR protocol.
-
-### [Get-ADSIAccount](Get-ADSIAccount.md)
-Gets all Active Directory user accounts from a given domain controller using ADSI. 
-
-### [Get-BootKey](Get-BootKey.md)
-Reads the Boot Key (AKA SysKey or System Key) from an online or offline SYSTEM registry hive.
-
-### [Get-LsaBackupKey](Get-LsaBackupKey.md)
-Reads the DPAPI backup keys from a domain controller through the LSARPC protocol.
-
-### [Get-LsaPolicyInformation](Get-LsaPolicyInformation.md)
-Retrieves AD-related information from the Local Security Authority Policy of the local computer or a remote one.
-
-### [Get-SamPasswordPolicy](Get-SamPasswordPolicy.md)
-Queries Active Directory for the default password policy.
-
-### [New-ADDBRestoreFromMediaScript](New-ADDBRestoreFromMediaScript.md)
-Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).
-
-### [Remove-ADDBObject](Remove-ADDBObject.md)
-Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!
-
-### [Save-DPAPIBlob](Save-DPAPIBlob.md)
-Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
+### [Add-ADDBSidHistory](Add-ADDBSidHistory.md)
+Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
 
 ### [Set-ADDBAccountPassword](Set-ADDBAccountPassword.md)
 Sets the password for a user, computer, or service account stored in a ntds.dit file.
@@ -104,21 +31,130 @@ Sets the password for a user, computer, or service account stored in a ntds.dit
 ### [Set-ADDBAccountPasswordHash](Set-ADDBAccountPasswordHash.md)
 Sets the password hash for a user, computer, or service account stored in a ntds.dit file.
 
-### [Set-ADDBBootKey](Set-ADDBBootKey.md)
-Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
+### [Set-ADDBPrimaryGroup](Set-ADDBPrimaryGroup.md)
+Modifies the primaryGroupId attribute of an object in a ntds.dit file.
+
+### [Get-ADDBBackupKey](Get-ADDBBackupKey.md)
+Reads the DPAPI backup keys from a ntds.dit file.
+
+### [Get-ADDBKdsRootKey](Get-ADDBKdsRootKey.md)
+Reads KDS Root Keys from a ntds.dit. file. Can be used to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
+
+### [Get-ADDBDomainController](Get-ADDBDomainController.md)
+Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
 
 ### [Set-ADDBDomainController](Set-ADDBDomainController.md)
 Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
 
-### [Set-ADDBPrimaryGroup](Set-ADDBPrimaryGroup.md)
-Modifies the primaryGroupId attribute of an object to a ntds.dit file.
+### [Get-ADDBSchemaAttribute](Get-ADDBSchemaAttribute.md)
+Reads AD schema from a ntds.dit file, including datatable column names.
+
+### [Get-BootKey](Get-BootKey.md)
+Reads the Boot Key (AKA SysKey or System Key) from an online or offline SYSTEM registry hive.
+
+### [Set-ADDBBootKey](Set-ADDBBootKey.md)
+Re-encrypts a ntds.dit file with a new BootKey/SysKey. Highly experimental!
+
+### [Remove-ADDBObject](Remove-ADDBObject.md)
+Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!
+
+## Cmdlets for Online Active Directory Operations
+
+### [Get-ADReplAccount](Get-ADReplAccount.md)
+Reads one or more accounts through the MS-DRSR protocol, including secret attributes.
+
+### [Get-ADReplBackupKey](Get-ADReplBackupKey.md)
+Reads the DPAPI backup keys through the MS-DRSR protocol.
+
+### [Get-SamPasswordPolicy](Get-SamPasswordPolicy.md)
+Queries Active Directory for the default password policy.
+
+### [Set-SamAccountPasswordHash](Set-SamAccountPasswordHash.md)
+Sets NT and LM hashes of an Active Directory or local account through the MS-SAMR protocol.
+
+### [Get-ADSIAccount](Get-ADSIAccount.md)
+Gets all Active Directory user accounts from a given domain controller using ADSI. Typically used for Credential Roaming data retrieval through LDAP.
+
+### [Get-LsaBackupKey](Get-LsaBackupKey.md)
+Reads the DPAPI backup keys from a domain controller through the LSARPC protocol.
+
+### [Get-LsaPolicyInformation](Get-LsaPolicyInformation.md)
+Retrieves AD-related information from the Local Security Authority Policy of the local computer or a remote one.
 
 ### [Set-LsaPolicyInformation](Set-LsaPolicyInformation.md)
 Configures AD-related Local Security Authority Policies of the local computer or a remote one.
 
-### [Set-SamAccountPasswordHash](Set-SamAccountPasswordHash.md)
-Sets NT and LM hashes of an account through the SAMR protocol.
+## Password Hash Export Formats
+
+The output of the [Get-ADDBAccount](Get-ADDBAccount.md) and [Get-ADReplAccount](Get-ADReplAccount.md) cmdlets can be formatted using the following custom [Views](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/format-custom) to support different password cracking tools. ASCII file encoding is strongly recommended.
+
+### Hashcat
+
+- **HashcatNT** – NT hashes in Hashcat's format.
+- **HashcatLM** – LM hashes in Hashcat's format.
+- **HashcatNTHistory** – NT hashes, including historical ones, in Hashcat's format.
+
+### John the Ripper
+
+- **JohnNT** – NT hashes in the format supported by John the Ripper.
+- **JohnLM** – LM hashes in the format supported by John the Ripper.
+- **JohnNTHistory** – NT hashes, including historical ones, in the format supported by John the Ripper.
+
+### Ophcrack
+
+- **Ophcrack** – NT and LM hashes in Ophcrack's format.
+
+### Other Formats
+
+- **PWDump** - NT and LM hashes in the pwdump format that is supported various password cracking tools, e.g. *ElcomSoft Distributed Password Recovery*, *rcracki-mt* or *John the Ripper*.
+- **NTHash** - NT hashes only, without account names.
+- **LMHash** - LM hashes only, without account names.
+- **NTHashHistory** - NT hashes, including historical ones, without account names.
+
+## Cmdlets for Password Hash Calculation
+
+### [ConvertTo-KerberosKey](ConvertTo-KerberosKey.md)
+Computes Kerberos keys from a given password using Kerberos version 5 Key Derivation Functions.
+
+### [ConvertTo-NTHash](ConvertTo-NTHash.md)
+Calculates NT hash of a given password.
+
+### [ConvertTo-LMHash](ConvertTo-LMHash.md)
+Calculates LM hash of a given password.
+
+### [ConvertTo-OrgIdHash](ConvertTo-OrgIdHash.md)
+Calculates OrgId hash of a given password. Used by Azure Active Directory Connect.
+
+## Cmdlets for Credential Decryption
+
+### [Save-DPAPIBlob](Save-DPAPIBlob.md)
+Saves DPAPI and Credential Roaming data returned by the [Get-ADReplBackupKey](Get-ADReplBackupKey.md), [Get-ADDBBackupKey](Get-ADDBBackupKey.md), [Get-ADReplAccount](Get-ADReplAccount.md), [Get-ADDBAccount](Get-ADDBAccount.md) and [Get-ADSIAccount](Get-ADSIAccount.md) cmdlets to files for further processing.
+
+### [ConvertFrom-ADManagedPasswordBlob](ConvertFrom-ADManagedPasswordBlob.md)
+Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.
+
+### [Get-ADKeyCredential](Get-ADKeyCredential.md)
+Creates an object representing Windows Hello for Business credentials from its binary representation or an X.509 certificate.
+
+### [ConvertFrom-GPPrefPassword](ConvertFrom-GPPrefPassword.md)
+Decodes a password from the format used by Group Policy Preferences.
+
+### [ConvertTo-GPPrefPassword](ConvertTo-GPPrefPassword.md)
+Converts a password to the format used by Group Policy Preferences.
+
+### [ConvertFrom-UnicodePassword](ConvertFrom-UnicodePassword.md)
+Decodes a password from the format used in unattend.xml files.
+
+### [ConvertTo-UnicodePassword](ConvertTo-UnicodePassword.md)
+Converts a password to the format used in unattend.xml or *.ldif files.
+
+## Miscellaneous Cmdlets
+
+### [New-ADDBRestoreFromMediaScript](New-ADDBRestoreFromMediaScript.md)
+Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).
 
 ### [Test-PasswordQuality](Test-PasswordQuality.md)
-Performs AD audit, including checks for weak, duplicate, default and empty passwords.
+Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the [Get-ADReplAccount](Get-ADReplAccount.md) and [Get-ADDBAccount](Get-ADDBAccount.md) cmdlets.
 
+### [ConvertTo-Hex](ConvertTo-Hex.md)
+Helper cmdlet that converts binary input to a hexadecimal string.

Documentation/PowerShell/Save-DPAPIBlob.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Save-DPAPIBlob
 
 ## SYNOPSIS
-Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
+Saves DPAPI and Credential Roaming data returned by the [Get-ADReplBackupKey](Get-ADReplBackupKey.md), [Get-ADDBBackupKey](Get-ADDBBackupKey.md), [Get-ADReplAccount](Get-ADReplAccount.md), [Get-ADDBAccount](Get-ADDBAccount.md) and [Get-ADSIAccount](Get-ADSIAccount.md) cmdlets to files for further processing.
 
 ## SYNTAX
 

Documentation/PowerShell/Set-ADDBBootKey.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Set-ADDBBootKey
 
 ## SYNOPSIS
-Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
+Re-encrypts a ntds.dit with a new BootKey/SysKey. Highly experimental!
 
 ## SYNTAX
 

Documentation/PowerShell/Set-ADDBPrimaryGroup.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Set-ADDBPrimaryGroup
 
 ## SYNOPSIS
-Modifies the primaryGroupId attribute of an object to a ntds.dit file.
+Modifies the primaryGroupId attribute of an object in a ntds.dit file.
 
 ## SYNTAX
 

Documentation/PowerShell/Set-SamAccountPasswordHash.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Set-SamAccountPasswordHash
 
 ## SYNOPSIS
-Sets NT and LM hashes of an account through the SAMR protocol.
+Sets NT and LM hashes of an Active Directory or local account through the MS-SAMR protocol.
 
 ## SYNTAX
 

Documentation/PowerShell/Test-PasswordQuality.md

@@ -8,7 +8,7 @@ schema: 2.0.0
 # Test-PasswordQuality
 
 ## SYNOPSIS
-Performs AD audit, including checks for weak, duplicate, default and empty passwords.
+Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the Get-ADReplAccount and Get-ADDBAccount cmdlets.
 
 ## SYNTAX
 

Scripts/Update-PSHelp.ps1

@@ -26,7 +26,7 @@ New-MarkdownAboutHelp -AboutName DSInternals -OutputFolder $mdHelpPath
 #>
 
 # Update MD files
-Update-MarkdownHelpModule -Path $mdHelpPath -ModulePagePath $modulePagePath -RefreshModulePage -AlphabeticParamsOrder -UpdateInputOutput
+Update-MarkdownHelpModule -Path $mdHelpPath -ModulePagePath $modulePagePath -RefreshModulePage:$false -AlphabeticParamsOrder -UpdateInputOutput
 
 # Generate the MAML file
 New-ExternalHelp -Path $mdHelpPath -OutputPath $xmlHelpPath -Force -ShowProgress

Src/DSInternals.PowerShell/DSInternals.psd1

@@ -123,6 +123,7 @@ PrivateData = @{
         # ReleaseNotes of this module
         ReleaseNotes = @"
 - The performance of the Test-PasswordQuality cmdlet had significantly been increased, expecially when used with HaveIBeenPwned.
+- The PWDump export format is now more compatible with some 3rd party tools, e.g. ElcomSoft Distributed Password Recovery.
 "@
     } # End of PSData hashtable
 

Src/DSInternals.PowerShell/Views/DSInternals.DSAccount.ExportViews.format.ps1xml

@@ -296,11 +296,17 @@
                 <PropertyName>LMHash</PropertyName>
                 <CustomControlName>Hash</CustomControlName>
               </ExpressionBinding>
+              <ExpressionBinding>
+                <ScriptBlock>if($PSItem.LMHash -eq $null) { 'NO PASSWORD*********************' }</ScriptBlock>
+              </ExpressionBinding>
               <Text>:</Text>
               <ExpressionBinding>
                 <PropertyName>NTHash</PropertyName>
                 <CustomControlName>Hash</CustomControlName>
               </ExpressionBinding>
+              <ExpressionBinding>
+                <ScriptBlock>if($PSItem.NTHash -eq $null) { 'NO PASSWORD*********************' }</ScriptBlock>
+              </ExpressionBinding>
               <Text>:::</Text>
             </CustomItem>
           </CustomEntry>
@@ -308,4 +314,4 @@
       </CustomControl>
     </View>
   </ViewDefinitions>
-</Configuration>
+</Configuration>

Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml

@@ -767,7 +767,7 @@
       <command:verb>ConvertTo</command:verb>
       <command:noun>Hex</command:noun>
       <maml:description>
-        <maml:para>Helper cmdlet that converts binary input to hexadecimal string.</maml:para>
+        <maml:para>Helper cmdlet that converts binary input to a hexadecimal string.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -1198,7 +1198,7 @@
       <command:verb>ConvertTo</command:verb>
       <command:noun>OrgIdHash</command:noun>
       <maml:description>
-        <maml:para>Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.</maml:para>
+        <maml:para>Calculates OrgId hash of a given password. Used by Azure Active Directory Connect.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -3279,7 +3279,7 @@
       <command:verb>Get</command:verb>
       <command:noun>ADReplAccount</command:noun>
       <maml:description>
-        <maml:para>Reads one or more accounts through the DRSR protocol, including secret attributes.</maml:para>
+        <maml:para>Reads one or more accounts through the MS-DRSR protocol, including secret attributes.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -3791,7 +3791,7 @@
       <command:verb>Get</command:verb>
       <command:noun>ADReplBackupKey</command:noun>
       <maml:description>
-        <maml:para>Reads the DPAPI backup keys through the DRSR protocol.</maml:para>
+        <maml:para>Reads the DPAPI backup keys through the MS-DRSR protocol.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -3964,7 +3964,7 @@
       <command:verb>Get</command:verb>
       <command:noun>ADSIAccount</command:noun>
       <maml:description>
-        <maml:para>Gets all Active Directory user accounts from a given domain controller using ADSI.</maml:para>
+        <maml:para>Gets all Active Directory user accounts from a given domain controller using ADSI. Typically used for Credential Roaming data retrieval through LDAP.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -5238,7 +5238,7 @@ $initTask.RunAsTask()</dev:code>
       <command:verb>Save</command:verb>
       <command:noun>DPAPIBlob</command:noun>
       <maml:description>
-        <maml:para>Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.</maml:para>
+        <maml:para>Saves DPAPI and Credential Roaming data returned by the Get-ADReplBackupKey (Get-ADReplBackupKey.md), [Get-ADDBBackupKey](Get-ADDBBackupKey.md), [Get-ADReplAccount](Get-ADReplAccount.md), [Get-ADDBAccount](Get-ADDBAccount.md) and [Get-ADSIAccount](Get-ADSIAccount.md)cmdlets to files for further processing.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -6475,7 +6475,7 @@ $initTask.RunAsTask()</dev:code>
       <command:verb>Set</command:verb>
       <command:noun>ADDBBootKey</command:noun>
       <maml:description>
-        <maml:para>Re-encrypts a ntds.dit with a new BootKey. Highly experimental!</maml:para>
+        <maml:para>Re-encrypts a ntds.dit with a new BootKey/SysKey. Highly experimental!</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -6910,7 +6910,7 @@ $initTask.RunAsTask()</dev:code>
       <command:verb>Set</command:verb>
       <command:noun>ADDBPrimaryGroup</command:noun>
       <maml:description>
-        <maml:para>Modifies the primaryGroupId attribute of an object to a ntds.dit file.</maml:para>
+        <maml:para>Modifies the primaryGroupId attribute of an object in a ntds.dit file.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -7541,7 +7541,7 @@ $initTask.RunAsTask()</dev:code>
       <command:verb>Set</command:verb>
       <command:noun>SamAccountPasswordHash</command:noun>
       <maml:description>
-        <maml:para>Sets NT and LM hashes of an account through the SAMR protocol.</maml:para>
+        <maml:para>Sets NT and LM hashes of an Active Directory or local account through the MS-SAMR protocol.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>
@@ -7836,7 +7836,7 @@ $initTask.RunAsTask()</dev:code>
       <command:verb>Test</command:verb>
       <command:noun>PasswordQuality</command:noun>
       <maml:description>
-        <maml:para>Performs AD audit, including checks for weak, duplicate, default and empty passwords.</maml:para>
+        <maml:para>Performs AD audit, including checks for weak, duplicate, default and empty passwords. Accepts input from the Get-ADReplAccount and Get-ADDBAccount cmdlets.</maml:para>
       </maml:description>
     </command:details>
     <maml:description>

Src/DSInternals.sln

@@ -85,7 +85,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "PowerShell", "PowerShell",
 		..\Documentation\PowerShell\ConvertTo-OrgIdHash.md = ..\Documentation\PowerShell\ConvertTo-OrgIdHash.md
 		..\Documentation\PowerShell\ConvertTo-UnicodePassword.md = ..\Documentation\PowerShell\ConvertTo-UnicodePassword.md
 		..\Documentation\PowerShell\Disable-ADDBAccount.md = ..\Documentation\PowerShell\Disable-ADDBAccount.md
-		..\Documentation\PowerShell\DSInternals.md = ..\Documentation\PowerShell\DSInternals.md
 		..\Documentation\PowerShell\Enable-ADDBAccount.md = ..\Documentation\PowerShell\Enable-ADDBAccount.md
 		..\Documentation\PowerShell\Get-ADDBAccount.md = ..\Documentation\PowerShell\Get-ADDBAccount.md
 		..\Documentation\PowerShell\Get-ADDBBackupKey.md = ..\Documentation\PowerShell\Get-ADDBBackupKey.md