5.2 KiB
| Module Name | Module Guid | Download Help Link | Help Version | Locale |
|---|---|---|---|---|
| DSInternals | 766b3ad8-eb78-48e6-84bd-61b31d96b53e | 1.0 | en-US |
DSInternals Module
Description
The DSInternals PowerShell Module exposes several internal and undocumented features of Active Directory.
DSInternals Cmdlets
Add-ADDBSidHistory
Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
ConvertFrom-ADManagedPasswordBlob
Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.
ConvertFrom-GPPrefPassword
Decodes a password from the format used by Group Policy Preferences.
ConvertFrom-UnicodePassword
Decodes a password from the format used in unattend.xml files.
ConvertTo-GPPrefPassword
Converts a password to the format used by Group Policy Preferences.
ConvertTo-Hex
Helper cmdlet that converts binary input to hexadecimal string.
ConvertTo-KerberosKey
Computes Kerberos keys from a given password using Kerberos version 5 Key Derivation Functions.
ConvertTo-LMHash
Calculates LM hash of a given password.
ConvertTo-NTHash
Calculates NT hash of a given password.
ConvertTo-OrgIdHash
Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.
ConvertTo-UnicodePassword
Converts a password to the format used in unattend.xml or *.ldif files.
Disable-ADDBAccount
Disables an Active Directory account in an offline ntds.dit file.
Enable-ADDBAccount
Enables an Active Directory account in an offline ntds.dit file.
Get-ADDBAccount
Reads one or more accounts from a ntds.dit file, including secret attributes.
Get-ADDBBackupKey
Reads the DPAPI backup keys from a ntds.dit file.
Get-ADDBDomainController
Reads information about the originating DC from a ntds.dit file, including domain name, domain SID, DC name and DC site.
Get-ADDBKdsRootKey
Reads KDS Root Keys from a ntds.dit. file. Can be used to aid DPAPI-NG decryption, e.g. SID-protected PFX files.
Get-ADDBSchemaAttribute
Reads AD schema from a ntds.dit file, including datatable column names.
Get-ADKeyCredential
Creates an object representing Windows Hello for Business credentials from its binary representation or an X.509 certificate.
Get-ADReplAccount
Reads one or more accounts through the DRSR protocol, including secret attributes.
Get-ADReplBackupKey
Reads the DPAPI backup keys through the DRSR protocol.
Get-ADSIAccount
Gets all Active Directory user accounts from a given domain controller using ADSI.
Get-BootKey
Reads the Boot Key (AKA SysKey or System Key) from an online or offline SYSTEM registry hive.
Get-LsaBackupKey
Reads the DPAPI backup keys from a domain controller through the LSARPC protocol.
Get-LsaPolicyInformation
Retrieves AD-related information from the Local Security Authority Policy of the local computer or a remote one.
Get-SamPasswordPolicy
Queries Active Directory for the default password policy.
New-ADDBRestoreFromMediaScript
Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).
Remove-ADDBObject
Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!
Save-DPAPIBlob
Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
Set-ADDBAccountPassword
Sets the password for a user, computer, or service account stored in a ntds.dit file.
Set-ADDBAccountPasswordHash
Sets the password hash for a user, computer, or service account stored in a ntds.dit file.
Set-ADDBBootKey
Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
Set-ADDBDomainController
Writes information about the DC to a ntds.dit file, including the highest commited USN and database epoch.
Set-ADDBPrimaryGroup
Modifies the primaryGroupId attribute of an object to a ntds.dit file.
Set-LsaPolicyInformation
Configures AD-related Local Security Authority Policies of the local computer or a remote one.
Set-SamAccountPasswordHash
Sets NT and LM hashes of an account through the SAMR protocol.
Test-PasswordQuality
Performs AD audit, including checks for weak, duplicate, default and empty passwords.