DSInternals

7.0

The DSInternals PowerShell Module exposes several internal features of Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups, and password hash calculation.

DISCLAIMER: Features exposed through this module are not supported by Microsoft and it is therefore not intended to be u
The DSInternals PowerShell Module exposes several internal features of Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups, and password hash calculation.

DISCLAIMER: Features exposed through this module are not supported by Microsoft and it is therefore not intended to be used in production environments. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.
Show more

Minimum PowerShell version

5.1

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name DSInternals

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name DSInternals

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2015-2026 Michael Grafnetter. All rights reserved.

Package Details

Author(s)

  • Michael Grafnetter

Tags

ActiveDirectory Security SAM LSA DNS BitLocker LAPS NTDS Windows

Cmdlets

ConvertTo-NTHash ConvertTo-LMHash Set-SamAccountPasswordHash ConvertFrom-UnicodePassword ConvertTo-UnicodePassword ConvertTo-OrgIdHash ConvertFrom-GPPrefPassword ConvertTo-GPPrefPassword Set-ADDBPrimaryGroup Get-ADDBDomainController Set-ADDBDomainController Get-ADDBSchemaAttribute Remove-ADDBObject Get-ADDBAccount Get-BootKey Get-ADReplAccount ConvertTo-Hex ConvertTo-KerberosKey ConvertFrom-ADManagedPasswordBlob Get-ADReplKdsRootKey Get-ADDBBackupKey Get-ADReplBackupKey Save-DpapiBlob Get-DpapiNgPfxCertificate Unprotect-DpapiNgPfxCertificate Protect-DpapiNgData Unprotect-DpapiNgData Get-DpapiNgData Set-ADDBBootKey Test-PasswordQuality Get-ADDBServiceAccount Get-ADDBBitLockerRecoveryInformation Get-ADDBKdsRootKey Get-SamPasswordPolicy Get-ADSIAccount Get-ADSIServiceAccount Get-ADSIDnsServerResourceRecord Get-ADSIDnsServerZone Get-ADSIDnsServerSigningKey Export-ADSIDnsServerSigningKey Get-ADSIKdsRootKey Enable-ADDBAccount Disable-ADDBAccount Get-ADKeyCredential Set-ADDBAccountPassword Set-ADDBAccountPasswordHash Get-LsaPolicyInformation Set-LSAPolicyInformation New-ADDBRestoreFromMediaScript Get-LsaBackupKey Add-ADReplNgcKey Add-ADReplSidHistory New-DpapiNgNamedDescriptor Get-DpapiNgNamedDescriptor Remove-DpapiNgNamedDescriptor Get-DpapiNgSidKeyIdentifier Save-DpapiNgSidKey Clear-DpapiNgSidKeyCache Unlock-ADDBAccount Get-ADDBDnsServerResourceRecord Get-ADDBDnsServerZone Get-ADDBDnsServerSigningKey Export-ADDBDnsServerSigningKey Set-ADDBAccountControl Save-DnsServerResourceRecord Get-ADDBTrust

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

- Added the Protect-DpapiNgData, Unprotect-DpapiNgData, and Get-DpapiNgData cmdlets for encrypting, decrypting, and parsing DPAPI-NG protected blobs.
- Added the New-DpapiNgNamedDescriptor, Get-DpapiNgNamedDescriptor, and Remove-DpapiNgNamedDescriptor cmdlets for managing named DPAPI-NG protection descriptors.
- Added the Get-DpapiNgPfxCertificate and Unprotect-DpapiNgPfxCertificate cmdlets for extracting and decrypting SID-based DPAPI-NG certificate password protectors from PFX files, either online or offline with -KdsRootKey.
- Added the Get-DpapiNgSidKeyIdentifier, Save-DpapiNgSidKey, and Clear-DpapiNgSidKeyCache cmdlets for managing the local cache of KDS root key derived DPAPI-NG group keys, enabling offline decryption.
- Added the Save-DnsServerResourceRecord cmdlet for exporting DNS records to zone files.
- Added the Get-ADSIKdsRootKey cmdlet for reading KDS root keys through LDAP.
- Added the Get-ADSIServiceAccount cmdlet for reading gMSAs and dMSAs through LDAP with passwords derived from KDS root keys.
- Fixed intermittent "CRC check failed." errors during replication caused by RPC session key renegotiation mid-replication.

FileList

Version History

Version Downloads Last updated
7.0 (current version) 0 5/28/2026
6.5 0 5/16/2026
6.4 103,150 3/28/2026
6.3 96,084 2/8/2026
6.2 154,775 12/5/2025
6.1.1 246,620 8/19/2025
6.1 4,058 8/17/2025
6.0.1 4,637 8/14/2025
6.0 93 8/14/2025
5.4.3 88,423 7/9/2025
5.3 228,529 4/11/2025
5.2 3,367 4/9/2025
5.1 54,247 3/22/2025
5.0 43,832 3/3/2025
4.16 207,752 1/5/2025
4.15.1 7,837 1/3/2025
4.15 35,206 12/23/2024
4.14 688,129 4/13/2024
4.13 296,126 12/20/2023
4.12 157,777 10/6/2023
4.11 12,930 10/1/2023
4.10 28,973 9/16/2023
4.9 535,535 2/25/2023
4.8 265,747 12/6/2022
4.7 1,196,525 10/30/2021
4.6 24,435 10/19/2021
4.5 13,477 10/13/2021
4.4.1 237,708 7/18/2020
4.4 6,446 7/3/2020
4.3 52,937 4/2/2020
4.2 3,249 3/18/2020
4.1 13,790 12/12/2019
4.0 841 12/4/2019
3.6.1 6,203 8/10/2019
3.6 2,016 6/27/2019
3.5 2,741 5/10/2019
3.4 609 4/23/2019
3.3 1,694 3/2/2019
3.2.1 1,496 1/4/2019
3.1 182 12/29/2018
3.0 2,300 9/29/2018
2.23 2,537 7/7/2018
2.22 7,275 5/1/2017
2.21.2 156 4/19/2017
2.21.1 80 4/14/2017
2.21 273 3/25/2017
2.20 2,541 11/15/2016
2.19 290 10/21/2016
2.18 237 10/2/2016
2.17 151 9/16/2016
2.16.1 2,666,848 8/8/2016
2.16 77 8/7/2016
2.15 280 6/18/2016
2.14 251 4/30/2016
2.13.1 254 2/25/2016
2.13 71 2/21/2016
2.12 88 2/7/2016
2.11.1 57 2/3/2016
2.10 122 1/14/2016
2.9 82 12/27/2015
2.8 191 10/20/2015
2.7 132 9/30/2015
2.6 81 9/21/2015
2.5 95 9/14/2015
2.4 94 9/5/2015
Show more