en-US/about_DSInternals.help.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
TOPIC
    about_DSInternals
 
SHORT DESCRIPTION
    The DSInternals PowerShell Module exposes several internal
    and undocumented features of Active Directory.
 
LONG DESCRIPTION
     
    LIST OF CMDLETS
 
    Offline operations with the Active Directory database
 
        Get-ADDBAccount
        ---------------
         
        Reads one or more accounts from a ntds.dit file, including secret attributes.
         
        Get-BootKey
        -----------
         
        Reads the BootKey/SysKey from an offline SYSTEM registry hive.
 
        Set-ADDBBootKey
        ---------------
 
        Re-encrypts a ntds.dit with a new BootKey. Highly experimental!
         
        Get-ADDBBackupKey
        -----------------
 
        Reads the DPAPI backup keys from a ntds.dit file.
 
        Get-ADDBKdsRootKey
        ------------------
 
        Reads KDS Root Keys from a ntds.dit. file. Can be used to aid DPAPI-NG decryption,
        e.g. SID-protected PFX files.
         
        Add-ADDBSidHistory
        ------------------
         
        Adds one or more values to the sIDHistory attribute of an object in a ntds.dit file.
         
        Set-ADDBPrimaryGroup
        --------------------
         
        Modifies the primaryGroupId attribute of an object to a ntds.dit file.
         
        Get-ADDBDomainController
        ------------------------
         
        Reads information about the originating DC from a ntds.dit file,
        including domain name, domain SID, DC name and DC site.
         
        Set-ADDBDomainController
        ------------------------
 
        Writes information about the DC to a ntds.dit file,
        including the highest commited USN and database epoch.
         
        Get-ADDBSchemaAttribute
        -----------------------
         
        Reads AD schema from a ntds.dit file, including datatable column names.
         
        Remove-ADDBObject
        -----------------
         
        Physically removes specified object from a ntds.dit file,
        making it semantically inconsistent. Highly experimental!
     
    Online operations with Active Directory database
         
        Get-ADReplAccount
        -----------------
         
        Reads one or more accounts through the DRSR protocol, including secret attributes.
 
        Get-ADReplBackupKey
        -------------------
         
        Reads the DPAPI backup keys through the DRSR protocol.
         
        Set-SamAccountPasswordHash
        --------------------------
         
        Sets NT and LM hashes of an account through the SAMR protocol.
 
    Hash calculation
         
        ConvertTo-NTHash
        ----------------
         
        Calculates NT hash of a given password.
 
        ConvertTo-NTHashDictionary
        --------------------------
         
        Creates a hash->password dictionary for use with the Test-PasswordQuality cmdlet.
         
        ConvertTo-LMHash
        ----------------
         
        Calculates LM hash of a given password.
         
        ConvertTo-OrgIdHash
        -------------------
         
        Calculates OrgId hash of a given password. Used by Azure Active Directory Sync.
 
    Password decryption
         
        ConvertFrom-GPPrefPassword
        --------------------------
         
        Decodes a password from the format used by Group Policy Preferences.
         
        ConvertTo-GPPrefPassword
        ------------------------
         
        Converts a password to the format used by Group Policy Preferences.
         
        ConvertFrom-UnattendXmlPassword
        -------------------------------
 
        Decodes a password from the format used in unattend.xml files.
         
        ConvertTo-UnicodePassword
        -------------------------
 
        Converts a password to the format used in unattend.xml or *.ldif files.
 
        ConvertFrom-ADManagedPasswordBlob
        ---------------------------------
 
        Decodes the value of the msDS-ManagedPassword attribute of a Group Managed Service Account.
 
    Misc
         
        Test-PasswordQuality
        --------------------
         
        Performs AD audit, including checks for weak, duplicate, default and empty passwords.
         
        Save-DPAPIBlob
        --------------
         
        Saves the output of the Get-ADReplBackupKey and Get-ADDBBackupKey cmdlets to a file.
 
        ConvertTo-Hex
        -------------
         
        Helper cmdlet that converts binary input to hexadecimal string.
 
SEE ALSO
    about_ActiveDirectory