Get-ADDBAccount: LAPS passwords

[modem2k2]

I have been testing the tool in my AD environment with LAPS enabled on many machines, although Get-ADDBAccount it works perfectly on my ntds.dis does not seem to be able to extract the clear credentials associated with the local Administrator computer accounts (stored under ms-MCS-adminpwd ). I think it would be an interesting feature and there is no tool right now that allows to do this.

[MichaelGrafnetter]

Hi @modem2k2 yes, that would be nice and I actually already thought about adding such feature.

[arsalanaltaf432]

Does DSInternals support getting password hash from Azure Active Directory(AAD)? (In AAD password hash are stored in SHA256)

[MichaelGrafnetter]

Does DSInternals support getting password hash from Azure Active Directory(AAD)? (In AAD password hash are stored in SHA256)

It's PBKDF2 actually and nope, there is no publicly available API for retrieving hashes from AAD.

[arsalanaltaf432]

Does DSInternals support getting password hash from Azure Active Directory(AAD)? (In AAD password hash are stored in SHA256)

It's PBKDF2 actually and nope, there is no publicly available API for retrieving hashes from AAD.

Thanks Michael. I have one more question does DSInternals support remote calls or it just works locally for Active Directory?

[MichaelGrafnetter]

Thanks Michael. I have one more question does DSInternals support remote calls or it just works locally for Active Directory?

Depends on what command you are asking about, as there are 30+cmdlets in DSInternals and some of them work with local backups of AD data and others communicate with DCs remotely over the network. See the documentation.

I'd be happy to answer any other questions you might have, but just please open new threads/issues, if they are unrelated to LAPS support.