Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set-samaccountpasswordhash : Access is denied #150

Open
xorded opened this issue Feb 8, 2023 · 7 comments
Open

set-samaccountpasswordhash : Access is denied #150

xorded opened this issue Feb 8, 2023 · 7 comments
Assignees
@MichaelGrafnetter
Labels
question

Comments

@xorded
Copy link

xorded commented Feb 8, 2023

hi

i can execute the Get-ADReplAccount without an issue. the user being used is an ad domain admin

set-samaccountpasswordhash -domain westworld -samaccountname adadminuser -nthash ba17e001e5467d85d16ae7247947929c -server W8AAAADS01

set-samaccountpasswordhash : Access is denied
At line:1 char:1

  • set-samaccountpasswordhash -domain westworld -samaccountname adadminuser ...
  •   + CategoryInfo          : NotSpecified: (:) [Set-SamAccountPasswordHash],
 UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.P
 owerShell.Commands.SetSamAccountPasswordHashCommand
 
 any ideas on why this is happening or how to solve it ?
@MichaelGrafnetter
Copy link
Owner

Hard to tell. Is the powershell.exe elevated (Run as Administrator)?

@MichaelGrafnetter MichaelGrafnetter self-assigned this Feb 8, 2023
@xorded
Copy link
Author

xorded commented Feb 8, 2023

Hard to tell. Is the powershell.exe elevated (Run as Administrator)?

yes

@MichaelGrafnetter
Copy link
Owner

MichaelGrafnetter commented Feb 8, 2023
edited

OK. What about Get-SamPasswordPolicy -Domain westworld, does it work? And net user /domain? Had NetCease been applied to that environment? Or any other hardening? Does the Security log on the DC tell you anything, if you enable all Advanced Auditing categories?

@xorded
Copy link
Author

xorded commented Feb 8, 2023

MinPasswordLength : 8
ComplexityEnabled : True
ReversibleEncryptionEnabled : False
MaxPasswordAge : 31.00:00:00
MinPasswordAge : 8.00:00:00
PasswordHistoryCount : 24

net user also works fine, i even changed the password expiry with wmic and same domain admin user

its a red team so i actually stopped the auditing, i found another way to set the hash with smbpasswd but i am just confused as to what would block your set-samaccountpasswordhash

@MichaelGrafnetter
Copy link
Owner

That is strange. I only have a limited AD lab, just re-tested the cmdlet and had no issues. If you figure it out, keep me posted, pls. I would also be curious what mimikatz lsadump::setntlm does, as it seems to be using the same function.

@xorded
Copy link
Author

xorded commented Feb 9, 2023

do you know what type of permissions are needed by set-samaccountpassword hash , maybe i can check the permissions or something

@MichaelGrafnetter
Copy link
Owner

Only the Reset password permission should be required. Just tested it in a clean AD environment with a fully updated Windows Server 2022 21H2 DC:

image

Command:

Set-SamAccountPasswordHash -SamAccountName joe -Domain contoso -NTHash e19ccf75ee54e06b06a5907af13cef42 -Server dc.contoso.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MichaelGrafnetter MichaelGrafnetter

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MichaelGrafnetter @xorded