DSInternals

Notable Changes

This is a bugfix release. The Set-LsaPolicyInformation cmdlet now generates the UNICODE_STRING structure with the trailing null character, to improve compatibility with NETLOGON. This issue mainly affects the functionality of the New-ADDBRestoreFromMediaScript cmdlet. Thanks, Christoffer Andersson, for reporting this issue. And sorry, Microsoft support escalation engineers, for the trouble this bug has caused.

If you ever restored a DC from an IFM backup using DSInternals, you need to re-run the Set-LsaPolicyInformation cmdlet with the right parameters on that DC.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• Added support for Windows Server 2025 Insider Preview domain controllers with the 32k database page size optional feature enabled.
• Improved KDS Root Key selection algorithm in the Get-ADDBServiceAccount cmdlet.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
• Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• The Test-PasswordQuality cmdlet now checks if a user's password is equal to their SamAccountName attribute, thanks to @BlueCurby.
• Replication cmdlets in the PowerShell module should now work on the ARM64 platform as well. Tests were performed using the Windows Dev Kit 2023, AKA Project Volterra.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• The Get-BootKey cmdlet should now be able to read inconsistent/corrupted SYSTEM registry hives.
• Implemented the FIPS compliance requirement and operating system checks.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• The Test-PasswordQuality cmdlet can now identify kerberoastable user accounts and its performance has been slightly improved.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• Added Windows Server 2022 support.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• Added support for ntds.dit files with conflicting defunct attributes.
• Fixed the detection of default computer passwords.
• Improved parsing of roaming CNG private keys.
• Updated the target .NET Framework to 4.7.2.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

This is a bugfix release. Version 4.4 was missing the vcruntime140_1.dll file, which prevented the DSInternals.Replication.Interop.dll file from being loaded.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

Notable Changes

The new Set-AzureADUserEx cmdlet enables administrative FIDO2 security key revocation in Azure Active Directory. This allows Global Admins to unregister stolen or lost security keys and thus prevent their potential misuse:

<#
This script will revoke all FIDO2 keys with display name containing "YubiKey"
that were registered by user "[email protected]".
#>
Install-Module -Name AzureAD,DSInternals -Force
Connect-AzureAD
$token = [Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens['AccessToken'].AccessToken
$user = Get-AzureADUserEx -UserPrincipalName '[email protected]' -AccessToken $token 
$newCreds = $user.KeyCredentials | where { $PSItem.FidoKeyMaterial.DisplayName -notlike '*YubiKey*' }
Set-AzureADUserEx -UserPrincipalName '[email protected]' -KeyCredential $newCreds -Token $token

This feature is unique to DSInternals and there is currently no other way of achieving the same goal.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

Auditing of FIDO2 Keys in Azure Active Directory

The new Get-AzureADUserEx cmdlet can be used to retrieve FIDO and NGC keys from Azure Active Directory, as the first tool on the market:

PS C:\> Get-AzureADUserEx -All -Token $token |
            Where-Object Enabled -eq $true |
            Select-Object -ExpandProperty KeyCredentials |
            Where-Object Usage -eq FIDO |
            Format-Table -View FIDO

<# Sample Output:

DisplayName           AAGUID                               Alg   Counter Created    Owner
-----------           ------                               ---   ------- -------    -----
YubiKey 5             cb69481e-8ff7-4039-93ec-0a2729a154a8 ES256      25 2019-12-12 [email protected]
Feitian All-In-Pass   12ded745-4bed-47d4-abaa-e713f51d6393 ES256    1398 2020-03-31 [email protected]
eWMB Goldengate G320  87dbc5a1-4c94-4dc8-8a47-97d800fd1f3c ES256      37 2019-08-29 [email protected]
eWBM Goldengate G310  95442b2e-f15e-4def-b270-efb106facb4e ES256      48 2019-08-29 [email protected]

#>

See the Examples section for more details on the usage of this new cmdlet.

LastLogonTimestamp Attribute Support

Both lastLogon and lastLogonTimestamp user account attributes are now exposed. And the new LastLogonDate property returns whichever of these 2 values is available.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

Cross-Forest Duplicate Password Discovery

The Test-PasswordQuality cmdlet now supports cross-domain and cross-forest duplicate password discovery and offline password hash comparison against HaveIBeenPwned:

$contosoAccounts = Get-ADReplAccount -All -Server $env:LOGONSEVER
$adatumCred = Get-Credential -Message 'Admin credentials for the adatum.com domain:'
$adatumAccounts = Get-ADReplAccount -All -Server 'nyc-dc1.adatum.com' -Credential $adatumCred
$contosoAccounts + $adatumAccounts | Test-PasswordQuality -WeakPasswordHashesSortedFile 'pwned-passwords-ntlm-ordered-by-hash-v5.txt'

The output of the previous script might look like this (with some parts omitted):

Active Directory Password Quality Report
----------------------------------------
...
Passwords of these accounts have been found in the dictionary:
  ADATUM\larry_admin
  CONTOSO\harry
...
These groups of accounts have the same passwords:
  Group 1:
    ADATUM\smith
    ADATUM\srv_sql01
  Group 2:
    ADATUM\Administrator
    ADATUM\joe_admin
    CONTOSO\Administrator
    CONTOSO\joe_admin
...

The example above uses the MS-DRSR protocol. Similar results can be achieved by using the Get-ADDBAccount cmdlet to read account information directly from a ntds.dit file.

Domain Name Detection

The Get-ADReplAccount, Get-ADReplBackupKey and Add-ADReplNgcKey cmdlets no longer require the Domain and NamingContext parameters to be specified, as their proper values are automatically retrieved from the target DC.

DSInternals is probably the only tool that detects the domain information just by using the MS-DRSR protocol itself.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Acknowledgement

Special thanks goes to @aseigler for his code contribution to this release.

Features added in this release were presented during the Black Hat Europe 2019 talk called Exploiting Windows Hello for Business.

Notable Changes

• Implemented checks for weak NGC keys in Active Directory and added the ability to export these public keys to a format understood by the original ROCA detection tool. See the newly released Microsoft Security Advisory ADV190026 for more information on this topic.
• Improved FIDO2 key registration reporting capabilities. Tested with YubiKey, Feitian, eWBM and SoloKeys. Big thanks to @aseigler for major code contribution and valuable feedback!
• Added the Add-ADReplNgcKey cmdlet for NGC key injection through the replication protocol (MS-DRSR).

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the
Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Notable Changes

• Added the Set-ADDBAccountPassword and Set-ADDBAccountPasswordHash cmdlets for offline password modification.
• The Test-PasswordQuality cmdlet now supports NTLM hash list from Have I Been Pwned.
• The Get-ADDBAccount, Get-ADReplAccount and Get-ADSIAccount cmdlets now display Windows Hello for Business credentials.
• Databases from Windows Server 2016 can now be read on non-DCs.
• The Save-DPAPIBlob now generates mimikatz scripts for the decryption of roamed credentials.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the
Installation Notes before proceeding.

PowerShell Gallery

For convenience, the DSInternals PowerShell module is also available on Microsoft's PowerShell Gallery.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Known Issues

• .NET Framework 4.5.1 is required for the module to be fully functional. Unfortunately, PowerShell versions prior to 5 ignore this prerequisite.

Private preview of this release has been used by Paula Januszkiewicz during her Microsoft Ignite session to decrypt a SID-protected PFX file. Very cool stuff!

Notable Changes

• [Module] Added the Get-ADDBKdsRootKey cmdlet that can dump KDS Root Keys from ntds.dit files. These can then be used for DPAPI-NG decryption, e.g. SID-protected PFX files.
• [Module] The Get-ADReplAccount cmdlet now correctly reports the access denied error.
• [Module] Fixed a bug in progress reporting of the Get-ADReplAccount cmdlet.
• [Framework] Added support for KDS Root Key retrieval.
• [Framework] Replication errors are now reported using more suitable exception types.

PowerShell Gallery

For convenience, the DSInternals PowerShell module is also available on Microsoft's PowerShell Gallery.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

Known Issues

• .NET Framework 4.5.1 is required for the module to be fully functional. Unfortunately, PowerShell versions prior to 5 ignore this prerequisite.