Menu
I'm syncing users from an external system into ours. I need to set the user's password in our Active Directory.
I am only provided SHA1's of the external user's passwords and setPassword will hash whatever I is input.
unicodePwd the actual hash field?
849
AD does not store just one type of hash. When you change your password, the DC receives the plaintext version of the password, checks its complexity and then generates and stores MD4, MD5, PBKDF2 (4096 * SHA1) and several other kinds of hashes. It is because each authentication mechanism (NTLM, Kerberos, Digest,...) uses a different hash function and AD needs to support them all.
The password hashes are stored in these AD attributes: unicodePwd, dBCSPwd, lmPwdHistory, ntPwdHistory and supplementalCredentials. For security reasons, you cannot read them through LDAP or ADSI. But I have recently found a way to retrieve them and created a PowerShell cmdlet that can do that:
Get-ADReplAccount -SamAccountName John -Domain Contoso -Server LON-DC1
There is also a poorly documented way to push MD4 hashes (AKA NT hashes) to workstation or AD through the legacy SAMR protocol. As there are no built-in commands that expose this functionality, I have created PowerShell cmdlets to do that, too.
To generate a NT hash, you can use this PowerShell command:
$hash = ConvertTo-NTHash (Read-Host -AsSecureString)
And finally, this command pushes the NT hash to AD:
Set-SamAccountPasswordHash -SamAccountName john -Domain ADATUM -NTHash $hash -Server dc1.adatum.com
These commands can be used to migrate passwords between local and domain accounts or between AD and Samba. But be careful, Kerberos-AES and WDigest authentication will not work with this account, only NTLM and Kerberos-RC4.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
