DSInternals/Documentation/CHANGELOG.md
2024-04-13 20:16:14 +02:00

33 KiB

DSInternals Logo DSInternals Logo

Changelog

All notable changes to this project will be documented in this file. The format is based on Keep a Changelog.

4.14 - 2024-04-13

Fixed

  • Increased tolerance for malformed DPAPI CNG private keys.
  • Improved parsing of conflicting secret object names, e.g., CN=BCKUPKEY_PREFERRED Secret\\0ACNF:26c8edbb-6b48-4f11-9e13-9ddbccedab5a,CN=System,DC=contoso,DC=com.

4.13 - 2023-12-20

Fixed

  • The Set-LsaPolicyInformation cmdlet now generates the UNICODE_STRING structure with the trailing null character, to improve compatibility with NETLOGON. This issue mainly affects the functionality of the New-ADDBRestoreFromMediaScript cmdlet. Thanks Christoffer Andersson for reporting this issue and sorry Microsoft support escalation engineers for the trouble this bug has caused.

4.12 - 2023-10-06

Added

Fixed

4.11 - 2023-10-01

Added

Fixed

4.10 - 2023-09-16

Added

Fixed

  • Fixed a rare security descriptor parsing issue.
  • Parallel reading of multiple databases is now supported.

4.9 - 2023-02-25

Changed

Fixed

  • The Get-BootKey cmdlet should now be able to read inconsistent/corrupted SYSTEM registry hives (issue #47).

4.8 - 2022-12-06

Changed

  • Upgraded to the latest JSON.NET library to fix some security issues.
  • Upgraded to the latest CBOR library to fix some security issues.
  • Added pipeline input support to the -SamAccountName parameter of the Get-ADReplAccount cmdlet.
  • All PowerShell cmdlets that modify the ntds.dit file now have the -Force parameter.

Fixed

  • Fixed a regression error in ntds.dit file modification on Windows Server 2022 that was introduced in release 4.7.

4.7 - 2021-10-30

Added

Changed

  • DSInternals.Replication.Interop is targeting the latest Windows 10 SDK instead of a specific one.

Fixed

  • Computer accounts are now skipped when searching for duplicate passwords.
  • Improved exception handling when opening read-only database files.

4.6 - 2021-10-19

Added

  • Windows Server 2022 ntds.dit file modification is now supported.

Changed

  • Updated ManagedEsent to 1.9.4.1 and extracted customizations to partial classes.

Fixed

  • ESE parameter set now better mimics the one used in AD.

4.5 - 2021-10-14

Fixed

  • Added support for ntds.dit files with conflicting defunct attributes.
  • Fixed the detection of default computer passwords.
  • Improved parsing of roaming CNG private keys.

Changed

  • Updated the target .NET Framework to 4.7.2.

4.4.1 - 2020-07-18

Fixed

  • The vcruntime140_1.dll file is now part of the binary distribution. Its absence sometimes prevented the DSInternals.Replication.Interop.dll file from being loaded.

4.4 - 2020-07-03

Added

  • The new Set-AzureADUserEx cmdlet can be used to revoke FIDO2 and NGC keys in Azure Active Directory.

4.3 - 2020-04-02

Added

  • New logo and package icons!
  • The new Get-AzureADUserEx cmdlet can be used to retrieve FIDO and NGC keys from Azure Active Directory, as the first tool on the market.
  • Both lastLogon and lastLogonTimestamp user account attributes are now exposed. The LastLogonDate PowerShell property returns whichever of these 2 values is available.
  • The -Server parameter of the Get-ADSIAccount cmdlet now has the standard -ComputerName alias.

Changed

4.2 - 2020-03-18

Added

Changed

  • Updated license information in Nuget packages to resolve Warning NU5125.

Fixed

  • Resolved a bug in the Get-ADDBBackupKey cmdlet that prevented it from working on global catalogs in multi-domain forests.
  • Resolved a bug in DPAPI credential display.

4.1 - 2019-12-12

Added

  • The Test-PasswordQuality cmdlet now contains a check for accounts that require smart card authentication and have a password at the same time.

Fixed

4.0 - 2019-12-04

Added

  • Added support for auditing (Azure) Active Directory NGC keys against the ROCA vulnerability.
  • Added the Add-ADReplNgcKey cmdlet for NGC key injection through the MS-DRSR protocol.
  • Added the Moduli custom PowerShell view to enable export of public keys stored in the msDS-KeyCredentialLink attribute.
  • Added the FIDO custom PowerShell view to provide visibility into FIDO2 keys registered in the msDS-KeyCredentialLink attribute.
  • Implemented FIDO2 token information parsing in the KeyCredential class. Tested with YubiKey, Feitian, eWBM and SoloKeys. Big thanks to @aseigler for major code contribution!
  • Implemented public key retrieval capability in the KeyCredential class.

Changed

  • .NET Framework 4.7 is now required because of ECC support.
  • The Get-ADReplAccount cmdlet can now search accounts by the userPrincipalName attribute.
  • NGC keys generated by the Get-ADKeyCredential cmdlet are now accepted in validated writes.

Fixed

  • Eliminated a memory leak in DRS_MSG_GETCHGREQ_V8 deallocation.
  • Fixed the output type of the Set-ADDBBootKey cmdlet.

3.6.1 - 2019-08-10

Fixed

  • Resolved issue #91 (The boot key provided cannot be used to decrypt the database), which appeared during decryption of ntds.dit files originating from Windows Server 2016+ DCs that were promoted using IFM.

3.6 - 2019-06-28

Changed

Fixed

  • Resolved issue #88 (Test-PasswordQuality errors out with "Offset and length must refer to a position in the string").

3.5.1 - 2019-05-23

This is a Chocolatey-only release.

Fixed

  • Temporarily removed the package dependency on PowerShell 3, which caused some issues. Will be resolved in a future release.

3.5 - 2019-05-10

Added

Changed

Fixed

3.4 - 2019-04-23

Added

  • The Test-PasswordQuality cmdlet now has a parameter called -WeakPasswordHashesSortedFile. This parameter should be used with ordered hash files downloaded from HaveIBeenPwned as it has huge performance benefits over the older -WeakPasswordHashesFile parameter due to the usage of binary search algorithm.
  • The Test-PasswordQuality cmdlet now has a proper documentation, including usage examples.

Fixed

  • The PWDump export format is now more compatible with some 3rd party tools, e.g. ElcomSoft Distributed Password Recovery, although the ASCII encoding still must be enforced.
  • The speed of processing the -WeakPasswordHashesFile and -WeakPasswordsFile parameters of the Test-PasswordQuality cmdlet has significantly been increased.
  • Parsing of roamed credentials is now slightly faster.
  • Documentation improvements!

3.3 - 2019-03-02

Changed

  • Implemented a slightly more secure handling of GMSA passwords.
  • The .NET Framework 4.5.1 requirement is now enforced.

Fixed

  • Scripts generated by the New-ADDBRestoreFromMediaScript cmdlet will also fix SYSVOL references in the DFS-R subscription object if it is restored to a different path.
  • A more explanatory exception is now thrown when opening databases that originate from different OS versions.
  • A more explanatory exception is now thrown when the Universal C Runtime is missing from Windows.
  • A more explanatory exception is now thrown when the assemblies are blocked.
  • PEK list decryption exceptions now contain troubleshooting data.
  • Minor improvement in C++ build speed.

3.2.1 - 2019-01-04

Fixed

  • The implementation of database re-encryption now behaves more closely to Windows Server 2016.

3.2 - 2019-01-03

Added

  • [Module] Added the Get-LsaBackupKey cmdlet for DPAPI domain backup key retrieval through LSARPC.
  • [Framework] Added support for DPAPI domain backup key retrieval from LSA Policy.

Changed

  • [Module] The Set-ADDBBootKey cmdlet now works with Windows Server 2000-2019 databases.
  • [Module] The New-ADDBRestoreFromMediaScript cmdlet now uses shutdown.exe instead of Restart-Computer.
  • [Framework] Updated package references.

Fixed

  • [Framework] Fixed DSInternals.Replication.Interop assembly versioning.

3.1 - 2018-12-29

Added

Changed

  • [Framework] Implemented distinguished name (DN) caching in the database access layer.

Fixed

  • [Module] Path to the DSInternals.psd1 file now does not need to be specified when loading the module from a non-default location.

3.0 - 2018-09-29

Added

Fixed

  • [Framework] Minor bug fixes.

Removed

  • [Module] Removed the ConvertTo-NTHashDictionary cmdlet as its functionality had been integrated into the Test-PasswordQuality cmdlet.
  • [Module] Removed the -ShowPlainTextPasswords parameter of the Test-PasswordQualiy cmdlet. It might be re-added in the future.

2.23 - 2018-07-07

Changed

Fixed

  • [Module] Fixed a bug in in the processing of the -SkipDuplicatePasswordTest switch of the Test-PasswordQuality cmdlet.

2.22 - 2017-04-29

Added

2.21.2 - 2017-04-19

Fixed

  • [Framework] Fixed a bug in roamed credentials processing.
  • [Module] Fixed a bug in hexadecimal parameter parsing.

2.21.1 - 2017-04-14

Fixed

  • Fixed a bug in linked value replication.

2.21 - 2017-03-25

  • [Module] The replication cmdlets now use Kerberos authentication by default.
  • [Module] Added support for roamed credentials.
  • [Module] Cmdlets now accept hashes in both byte array and hexadecimal string forms.
  • [Framework] Added support for linked value retrieval.
  • [Framework] Updated referenced packages.
  • [Framework] Added the SamEnumerateDomainsInSamServer call.

2.20 - 2016-11-15

2.19 - 2016-10-21

  • Added support for the ServicePrincipalName attribute.

2.18 - 2016-10-02

  • [Module] Added the Get-ADDBKdsRootKey cmdlet to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
  • [Module] The Get-ADReplAccount cmdlet now correctly reports the access denied error.
  • [Module] Fixed a bug in progress reporting of the Get-ADReplAccount cmdlet.
  • [Framework] Added support for KDS Root Key retrieval.
  • [Framework] Replication errors are now reported using more suitable exception types.

2.17 - 2016-09-16

  • [Module] The Get-ADReplAccount -All command now reports replication progress.
  • [Framework] Added the ability to retrieve the replication cursor.
  • [Framework] The ReplicationCookie class is now immutable and replication progress is reported using a delegate.
  • [Framework] Win32 exceptions are now translated to more specific .NET exceptions by the Validator class.

2.16.1 - 2016-08-08

  • [Module] Added the -ShowPlainTextPasswords parameter to the Test-PasswordQuality cmdlet. Cracked and cleartext passwords now do not get displayed by default.

2.16 - 2016-08-07

  • [Module] Added the Test-PasswordQuality and ConvertTo-NTHashDictionary cmdlets.
  • [Module] Added support for the the UserAccountControl attribute of user accounts.
  • [Framework] Added the ability to replicate user accounts by specifying their UPN.
  • [Framework] Added the ability to calculate a NT hash from both String and SecureString.
  • [Framework] Added the HashEqualityComparer, which allows the hashes to be stored in the built-in generic collections.

2.15 - 2016-06-18

  • Removed dependency on ADSI.
  • Added support for the PAM optional feature.
  • Added the PWDump custom view.
  • Added the NTHash custom view.
  • Added the LMHash custom view.

2.14 - 2016-04-30

  • Added support for Windows Server 2016 ntds.dit encryption.
  • Added support for replication with renamed domains.
  • Added support for reading security descriptors (ACLs) from both ntds.dit files and DRS-R.
  • Added support for the AdminCount attribute.
  • Updated the forked ManagedEsent source codes to version 1.9.3.3.

2.13.1 - 2016-02-25

  • Fixed a bug regarding incorrect OS version detection.

2.13 - 2016-02-21

  • Fixed a rare bug which caused the database cmdlets to hang while loading indices.
  • Meaningful error messages are now displayed when a dirty or downlevel ntds.dit file is encountered.
  • The DSInternals.Replication library now supports incremental replication (not exposed through PowerShell).

2.12 - 2016-02-07

  • Commandlets for ntds.dit manipulation now work on Windows 7 / Windows Server 2008 R2.
  • The module now requires .NET Framework 4.5.1 instead of 4.5.
  • Both Visual Studio 2013 and 2015 are now supported platforms.

2.11.1 - 2016-02-03

  • Added support for Windows Server 2003 R2.
  • The replication now works on x86, again.
  • Fixed a bug in temporary index loading.

2.10 - 2016-01-14

  • Added support for the NTLM-Strong-NTOWF package in Supplemental Credentials (new in Windows Server 2016 TP4)
  • Added support for initial databases
  • Added partial support for ADAM/LDS databases
  • The Get-ADDBSchemaAttribute now shows attribute OIDs
  • Fixed a bug in Exchange schema loading

2.9 - 2015-12-27

  • The Get-BootKey cmdlet now supports online boot key retrieval
  • The PBKDF2.NET library has been replaced by CryptSharp
  • The Get-ADDBDomainController cmdlet now extracts some more data from the DB
  • The project has been open-sourced

2.8 - 2015-10-20

2.7 - 2015-09-30

  • Added the about_DSInternals help page (work in progress)
  • Fixed a bug in the Set-ADDBPrimaryGroup cmdlet

2.6 - 2015-09-21

2.5 - 2015-09-14

  • Both x86 and x64 platforms are now supported.
  • A few parameters have been changed and new aliases added.
  • Fixed a bug in the Add-ADDBSidHistory cmdlet.

2.4 - 2015-09-05

  • Fixed a bug regarding distinguished name parsing in the Get-ADDBAccount cmdlet
  • Removed a big memory leak in the Get-ADReplAccount cmdlet
  • Added the Get-ADReplicationAccount alias for Get-ADReplAccount
  • Updated AutoMapper to the latest version
  • Switched to the official build of Microsoft's Managed Esent libraries
  • The module has been published in PowerShell Gallery.

2.3

  • Parameter -SystemHiveFilePath of the Get-BootKey cmdlet is now positional
  • Added the Readme.txt file with system requirements
  • Fixed a bug in distinguished name parsing that caused the Get-ADReplAccount cmdlet to fail under some circumstances

2.2

Changed

  • Added a few parameter validations

Fixed

  • Fixed a bug in SupplementalCredentials parsing

2.1

  • The Get-ADReplAccount cmdlet can now retrieve all accounts from AD or just a sigle one
  • Added Microsoft Visual C++ 2013 Runtime libraries to the distribution
  • The module is now 64-bit only
  • Minor bug fixes

2.0 - 2015-07-14

1.6

Added

1.5

Added

1.4 - 2015-05-31

Added

Fixed

1.3.1

Fixed

  • Fixed a bug in the Microsoft.Isam.Esent.Interop library, that prevented the Add-ADDBSidHistory cmdlet to run on Windows Server 2008 R2

1.3 - 2015-05-24

Added

1.2

Added

1.1

Added

1.0 - 2015-01-20

Initial release!