Comments (3)
Stanvy
commented on July 20, 2024
Below is a simple concept code in PowerShell that makes it:
Add-Type -Language "CSharp" -TypeDefinition @"
using System;
using System.Text;
using System.Runtime.InteropServices;
namespace PInvoke
{
public class ntdsapi
{
[DllImport("ntdsapi.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern UInt32 DsMakePasswordCredentials(
[MarshalAs(UnmanagedType.LPWStr)] String User,
[MarshalAs(UnmanagedType.LPWStr)] String Domain,
[MarshalAs(UnmanagedType.LPWStr)] String Password,
out IntPtr pAuthIdentity
);
[DllImport("ntdsapi.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern void DsFreePasswordCredentials(
IntPtr AuthIdentity
);
[DllImport("ntdsapi.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern UInt32 DsBindWithCred(
[MarshalAs(UnmanagedType.LPWStr)] String DomainControllerName,
[MarshalAs(UnmanagedType.LPWStr)] String DnsDomainName,
IntPtr AuthIdentity,
out IntPtr phDS
);
[DllImport("ntdsapi.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern UInt32 DsUnBind(
IntPtr phDS
);
[DllImport("ntdsapi.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern UInt32 DsAddSidHistory(
IntPtr hDS,
UInt32 Flags,
[MarshalAs(UnmanagedType.LPWStr)] String SrcDomain,
[MarshalAs(UnmanagedType.LPWStr)] String SrcPrincipal,
[MarshalAs(UnmanagedType.LPWStr)] String SrcDomainController,
IntPtr SrcDomainCreds,
[MarshalAs(UnmanagedType.LPWStr)] String DstDomain,
[MarshalAs(UnmanagedType.LPWStr)] String DstPrincipal
);
}
}
"@
[System.UInt32] $uiErrorCode = 0
[System.ComponentModel.Win32Exception] $objException = $null
[System.String] $strSourceUserName = "AdministratorUserName"
[System.String] $strSourceUserPassword = "AdministratorPassword"
[System.String] $strSourceUserDomainName = "DOMAIN"
[System.IntPtr] $hSourceAuthenticationIdentity = 0
[System.String] $strTargetUserName = $null
[System.String] $strTargetUserPassword = $null
[System.String] $strTargetUserDomainName = $null
[System.IntPtr] $hTargetAuthenticationIdentity = 0
[System.String] $strSourceDomainControllerFQDN = "PDC.source.com"
[System.String] $strSourceDomainFQDN = "source.com"
[System.IntPtr] $hSourceDirectoryService = 0
[System.String] $strTargetDomainControllerFQDN = $null
[System.String] $strTargetDomainFQDN = "target.com"
[System.IntPtr] $hTargetDirectoryService = 0
[System.String] $strSourcePrincipalUserName = "SAMAccountName"
[System.String] $strTargetPrincipalUserName = "SAMAccountName"
if ($strSourceUserName.Length) {
$uiErrorCode = [PInvoke.ntdsapi]::DsMakePasswordCredentials(
$strSourceUserName,
$strSourceUserDomainName,
$strSourceUserPassword,
[ref] $hSourceAuthenticationIdentity
)
} else {
$hSourceAuthenticationIdentity = 0
}
if ($strTargetUserName.Length) {
$uiErrorCode = [PInvoke.ntdsapi]::DsMakePasswordCredentials(
$strTargetUserName,
$strTargetUserDomainName,
$strTargetUserPassword,
[ref] $hTargetAuthenticationIdentity
)
} else {
$hTargetAuthenticationIdentity = 0
}
$uiErrorCode = [PInvoke.ntdsapi]::DsBindWithCred(
$strTargetDomainControllerFQDN,
$strTargetDomainFQDN,
$hTargetAuthenticationIdentity,
[ref] $hTargetDirectoryService
)
$uiErrorCode = [PInvoke.ntdsapi]::DsAddSidHistory(
$hTargetDirectoryService,
0,
$strSourceDomainFQDN,
$strSourcePrincipalUserName,
$strSourceDomainControllerFQDN,
$hSourceAuthenticationIdentity,
$strTargetDomainFQDN,
$strTargetPrincipalUserName
)
$objException = New-Object -TypeName System.ComponentModel.Win32Exception([System.Int32] $uiErrorCode)
$objException.Message
$uiErrorCode = [PInvoke.ntdsapi]::DsUnBind($hSourceDirectoryService)
[PInvoke.ntdsapi]::DsFreePasswordCredentials($hSourceAuthenticationIdentity)
$uiErrorCode = [PInvoke.ntdsapi]::DsUnBind($hTargetDirectoryService)
[PInvoke.ntdsapi]::DsFreePasswordCredentials($hTargetAuthenticationIdentity)
from dsinternals.
MichaelGrafnetter
commented on July 20, 2024
Thanks. DSInternals actually uses direct MS-DRSR RPC calls instead of utilizing ntdsapi.dll. The code would thus need to be implemented in C++ in the DRSConnection class and by calling IDL_DRSAddSidHistory.
from dsinternals.
Stanvy
commented on July 20, 2024
Initial point of this issue was to write values into "sIDHistory" attribute of target objects without taking AD database offline, like "Add-ADDBSidHistory" requires.
Replication protocol allows to read everything, including password hashes, but it doesn't allow to perform writes. Am I wrong about it?
from dsinternals.
Related Issues (20)
- Empty Password not returning full results HOT 3
- DSInternals.Replication.Interop.dll - File not found Exception on .NET 7/Core HOT 1
- ERROR: Package 'dsinternals' requires a different Python: 2.7.18 not in '>=3.4' HOT 1
- Unable to find pekList column Id? HOT 5
- Performance on very large databases? HOT 1
- Set-ADDBCompatibility HOT 1
- Extract users from specific OU or CN using DSInternals.Replication HOT 1
- Cmdlet for offline user unlock
- Password in plain text is missing HOT 1
- Modified Get-ADDBAccount to include more attributes : Object reference not set to an instance of an object. HOT 2
- Password Quality Result HOT 2
- Troubleshooting
- Memory consumption when running Get-ADDBAccount command HOT 1
- Get-ADReplAccount : The input is shorter than the minimum length. HOT 8
- DSInternals.Common.dll: Could not load file or assembly
- copied the database back to the original DC HOT 2
- Domain reference for Format-Custom views HOT 2
- Remove-ADDBObject : doesn't remove objects HOT 1
- Get-ADDBAccount - There was a problem reading the Database which probably comes from a different OS HOT 1
- Add-ADDBSidHistory / There was a problem reading the database, which probably comes from a different OS / After Exchange 2019 Schema Update HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dsinternals.