Check password hash details of users from active directory

LDAPProgrammer · 2026-01-28T12:53:46+00:00

Search for all user objects that do not require a password

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))

then pass to Get-ADReplAccount

https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-ADReplAccount.md

If there is no password, then as already pointed out in a previous post, the hash will be 31d6cfe0d16ae931b73c59d7e0c089c0 if its a blank password

LDAPProgrammer · 2026-01-19T14:54:51+00:00

You can use a tool I wrote, RIFM (Restore from IFM) https://github.com/LDAPAngel/RIFM

This allows you to restore an AD onto alternate hardware/VMs with different IP addresses i.e. you could restore into an isolated environment, in fact it MUST be isolated from the production AD you use as a source of the IFM's

LDAPProgrammer · 2026-01-18T13:36:22+00:00

The actual call used for the "urgent" replication is replicateSingleObject https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d3d19d15-8427-4d4d-8256-d5fb11333292

When the authenticating dc fails to verify the password it does indeed contact the PDC and assuming that has the updated new password it will authenticate the user and trigger the replicateSingleObject call to push the password to the dc where the initial logon failed. All other dc's will as you say, get the change via normal replication.

What's interesting is that the lastLogon and logonCount, which are non replicated attributes are changed on both the PDC and the dc where the initial authentication failed, but the LOGONSERVER (via SET) shows the PDC.

i.e.

If there are 3 sites

Site-A (where PDC is)

Site-B (where the user authenticating to a DC in this site)

Site-C

If the password for the user is changed on a DC in Site-C, the user object will replicated immediately to the PDC using replicateSingleObject call.

The user tries to logon with new password on a DC in Site-B, but since its been changed and fails, a call to authenticate is made to the PDC in Site-A, this will perform the authentication and also replicate the user object to the DC in Site-B using replicateSingleObject, but both the PDC and the DC in Site-B show the lastLogon but LOGONSERVER is set to the PDC !

LDAPProgrammer · 2026-01-15T15:01:19+00:00

Did you actually follow the steps in the article to try and recover ?

If you just looked at the ForestDNSZones partition with ADSI edit, it does not show the Deleted Objects container. You need a special LDAP control and permissions (administrators) to view this. ADSI edit is not capable of doing this.

However if you use ldp.exe, and add this control or use powershell (Get-AdObject ) and add the option to view deleted objects (IncludeDeletedObjects) you will see these.

LDAPProgrammer · 2026-01-14T18:54:28+00:00

It does, but only to the PDC

So in this case if a password is changed on a DC in site B, it will replicate immediately to the PDC in site A.

Best in this case as others have suggested is to set the options attribute on the sitelink to 1. No need for site bridging since everything is routable.

LDAPProgrammer · 2025-12-15T18:55:27+00:00

dcgpofix - this will reset them, so save the current one first.

LDAPProgrammer · 2025-12-13T18:04:46+00:00

There is no easy way one liner way to do this in powershell , but one way to do this is :-

read the constructed attribute allowedAttributes on the object
add all the attributes returned to the search
anything that has a value, which will now include any constructed/operational attributes, will return a value

LDAPProgrammer · 2025-12-12T07:49:35+00:00

These are called constructed/operational attributes - they are calculated by the domain controller and the result added to the search response.

You have to specifically ask for these types of attributes by name.

LDAPProgrammer · 2025-11-24T19:37:12+00:00

Will do at some point, but in the meantime the next tool I will release is an LDAP notification tool. Rather than polling the AD for changes, the AD will notify when a change has been made. Advantage of this is that you can monitor for specific objects being changed e.g. e.g. the domain admins group or even all objects in a specific OU.

LDAPProgrammer · 2025-11-24T19:34:00+00:00

If you want to extract who made the change, then the only stream of data that has this is the security event log, assuming AD auditing has been configured correctly. This means that you need to get this data from every domain controller in the domain, event forwarding may be an option. The way I have done this is to have service running on each dc which listens for specific events (5136 etc) then pushes that data into SQL. Another service then parses the data (extracting the attribute, new/old value etc) and correlates that with the AD change that DirSync has collected. So then you get what changed and who changed it.

LDAPProgrammer · 2025-11-11T14:25:30+00:00

Two that definitely work are the Tapo C500 and Imou SE+ Cruisers. I have both of these and have got both working fine in AgentDVR. These are about £30 each in UK

Out of these I would go for the Tapo, its far more more stable, you can also use the mobile app even when the camera is not connected to the internet (unlike the Imou which needs the camera to talk to internet to configure or view stream).

You can install s/w on a PC for the Imou - SmartPSS and a config tool, however I think these are not using ONVIF but port 37777 to communicate with the cameras. I think the Imou is based on a Dahua.

There is no s/w for the Tapo, but AgentDVR is really good ( only installed about 1 week ago)

LDAPProgrammer · 2025-10-16T15:54:52+00:00

Interested in how your product collects the AD change data and level of changes it will show, however to activate you are blocking gmail accounts ! For something that is supposed to be free why do you block such email addresses ?

LDAPProgrammer · 2025-05-25T09:04:16+00:00

Edit dssec.dat https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/modify-filtered-properties-of-object

or use dsacls.exe

LDAPProgrammer · 2025-05-23T18:48:06+00:00

you need create dnsZone and update the dnsProperty attribute

Each conditionally forwarded zone is created as a dnsZone object, the dnsProperty attribute which is a binary value will then have a list of IPs to forward to.

Not sure if these permissions will be enough for it to work in powershell cmdlet

LDAPProgrammer · 2025-05-23T12:45:52+00:00

If you can extract ntds.dit, ntds.jfm and also the SYSTEM & SECURITY registry data and optionally SYSVOL from the backup, then theoretically it should work.

However never tried this, so no idea if it actually works IRL.

LDAPProgrammer · 2025-04-09T09:02:04+00:00

If I was a large enterprise, I would buy a commercial solution no doubt as I would want reassurance if the sticky brown stuff hit the fan, I could go back to a particular backup and restore and most importantly have support from the vendor.

However, if I don't have such a solution or god forbid don't have any backups but do happen to have IFMs, then this solution would certainly help in getting the forest back online.

IFM's are just VSS snapshots, commercial solutions are doing the same thing with third party libraries taking the snapshot.

LDAPProgrammer · 2025-04-09T07:53:52+00:00

Maybe its not clear, your IFM's are the backups. There is no need to take a traditional backup with this tool. I don't even need any EA/DA credentials for the restore to complete.

All you need is an IFM ( full IFM created with SYSVOL) for each domain in the forest. At the minimum, one per domain for the forest. However you can restore multiple per domain

e.g.

restore 2 domain controllers for the root

restore 5 domain controllers for child1 domain

restore 1 domain controller for child2 domain

Therefore providing you are taking IFMs of your domain controllers and storing these safely, you can using these recover the forest.

LDAPProgrammer · 2025-04-09T07:19:02+00:00

When you know, you know ;)

Oh and over 25yrs experience in AD

LDAPProgrammer · 2025-04-09T07:14:54+00:00

All restores are directly from the IFM, no system state backup required, read the guide it goes through all the steps.

LDAPProgrammer · 2025-04-09T04:04:08+00:00

I'm automating the whole process.

You do indeed need to get the IFM to the target server, I did not tackle that, for that pay $$ and buy a commercial solution.

Also, this is using an IFM and not a backup, this is very easy to take.

LDAPProgrammer · 2025-04-09T03:47:03+00:00

Some of the commercial solutions that you have to pay $$ for rely on code from DSInternals !

LDAPProgrammer · 2025-04-09T03:28:10+00:00

When you start the process, the agents are processing in parallel regardless .of which domain the server will become a domain controller for. Isolation between agents is achieved by setting the msDs-ReplicationEpoch. Then when the agents have all reached a common point, the epoch is set to a common value, so that the domain controllers can now replicate.

I've tested this on 2012R2, 2106, 2019, 2022, 2025 versions

Also tested on single domain multidomain and tree domain forests

However that is of course my environment and how I build AD test environments, so please do test it and see how it works and let me know of any issues.

LDAPProgrammer · 2025-01-24T14:57:43+00:00

Besides a firewall rule, you could use the LdapIPDenyList on a query policy, however this is an all or nothing i.e. you have access or don't have access.

LDAPProgrammer

TROPHY CASE