DSInternals PowerShell Module 6.4

Notable Changes

• Fixed MS-SAMR authentication.
• Fixed an arithmetic overflow in Test-PasswordQuality when using an empty dictionary file.

See the Changelog for a more detailed list of new features.

DSInternals PowerShell Module

• The module is available in the PowerShell Gallery.
• As an alternative, the attached DSInternals_v6.4.zip file can be used for offline module installation.
• The module is also available as a Chocolatey package.

NuGet Packages

Official binary packages are available in the NuGet Gallery.

DSInternals PowerShell Module 6.3

Notable Changes

• Added the Add-ADReplSidHistory cmdlet for SID history migration via MS-DRSR.
• Improved generation of NGC keys to meet January 2026 Windows validation changes.
• Removed Azure AD Graph API-related cmdlets.

See the Changelog for a more detailed list of new features.

DSInternals PowerShell Module

• The module is available in the PowerShell Gallery.
• As an alternative, the attached DSInternals_v6.3.zip file can be used for offline module installation.
• The module is also available as a Chocolatey package.

NuGet Packages

Official binary packages are available in the NuGet Gallery.

DSInternals PowerShell Module 6.2

Warning

Due to unexpected delays in code signing certificate renewal, this version of the PowerShell module is not digitally signed.
NuGet and Chocolatey packages will be released once a new code signing certificate is obtained.

Notable Changes

• Disabled DES_CBC_MD5 Kerberos key derivation support due to recent Windows API changes.
• The New-ADDBRestoreFromMediaScript cmdlet should no longer be throwing the NullReferenceException.
• Removed the broken -Protocol parameter from replication cmdlets.

See the Changelog for a more detailed list of new features.

DSInternals PowerShell Module

• The module is available in the PowerShell Gallery.
• As an alternative, the attached DSInternals_v6.2.zip file can be used for offline module installation.

DSInternals PowerShell Module 6.1.1

Notable Changes

• Resolved issues with parsing LAPS passwords and key credentials.

See the Changelog for a more detailed list of new features.

DSInternals PowerShell Module

• The module is available in the PowerShell Gallery.
• As an alternative, the attached DSInternals_v6.1.1.zip file can be used for offline module installation.
• The module is also available as a Chocolatey package.

NuGet Packages

Official binary packages are available in the NuGet Gallery.

DSInternals PowerShell Module 6.1

Notable Changes

• Fixed a bug in ntds.dit prefix table parsing.
• Re-enabled native ARM64 support.
• Fixed RSA public key operation issues in PowerShell Core.
• Added the Integrity.Tests.ps1 script for checking module integrity.

See the Changelog for a more detailed list of new features.

DSInternals PowerShell Module

• The module is available in the PowerShell Gallery.
• As an alternative, the attached DSInternals_v6.1.zip file can be used for offline module installation.

NuGet Packages

Official binary packages are available in the NuGet Gallery.

DSInternals PowerShell Module 6.0.1

Notable Changes

Trust Objects

The new Get-ADDBTrust cmdlet can read inter-domain trust objects from ntds.dit files, decrypt the trust passwords, and derive the Kerberos trust keys:

PS C:\> Get-ADDBTrust -DatabasePath 'C:\ADBackup\ntds.dit' -BootKey c53a1d6ce3b391432863073cea763915

Sample output:

DistinguishedName: CN=adatum.com,CN=System,DC=contoso,DC=com
TrustPartner: adatum.com
FlatName: adatum
Sid: S-1-5-21-2072939287-465948493-1385512467
Direction: Bidirectional
Source: contoso.com
SourceFlatName: contoso
Type: Uplevel
Attributes: ForestTransitive
SupportedEncryptionTypes: AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
Deleted: False
TrustAuthIncoming
  CurrentPassword: 鑵׶肞뚙ᝑ꣤ς搏ﴲᛍ⨾녰钳맦
  CurrentNTHash: a00b29a3ab2fe08bf169096798193290
  PreviousPassword: Pa$$w0rd
  PreviousNTHash: 92937945b518814341de3f726500d4ff
IncomingTrustKeys (Calculated)
  Credentials:
    AES256_CTS_HMAC_SHA1_96
      Key: f253328c380a20b24c59866ab5a4f222a7fdec9de05502b261de6bbccd392da9
      Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
      Key: 039d99f0b5c78bd7d07e0fed28fe2cf8
      Iterations: 4096
    DES_CBC_MD5
      Key: 0ee92c61b66b5d0d
      Iterations: 4096
  OldCredentials:
    AES256_CTS_HMAC_SHA1_96
      Key: ab18197b48942fcbb8dab398f1b78fcbad8a223ff6779eb332f42f21655f5aa0
      Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
      Key: 676c6a1e69f0ec7d78010e75e9c24b6f
      Iterations: 4096
    DES_CBC_MD5
      Key: 2afbc7d94fa4ab29
      Iterations: 4096
  OlderCredentials:
  ServiceCredentials:
  Salt: CONTOSO.COMkrbtgtadatum
  DefaultIterationCount: 4096
  Flags: 0
TrustAuthOutgoing
  CurrentPassword: 쩘僞◀ꝵ黠鯹안꽾仈퍯䢥鉑꾲
  CurrentNTHash: ea1d78e82a3e496eb65ccd9a108575d0
  PreviousPassword: Pa$$w0rd
  PreviousNTHash: 92937945b518814341de3f726500d4ff
OutgoingTrustKeys (Calculated)
  Credentials:
    AES256_CTS_HMAC_SHA1_96
      Key: 25668ca9f03154e3cf0509a01f51bb3a5fcac8200e69eb542e6f2ad4609d39ce
      Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
      Key: 65a4c7a238f2cf8146f15db4dfda4bad
      Iterations: 4096
    DES_CBC_MD5
      Key: d90425dc58571a86
      Iterations: 4096
  OldCredentials:
    AES256_CTS_HMAC_SHA1_96
      Key: 214a5078f4fdb6405ca669a4ce9662cb631989d331585ce115c769c7218f6583
      Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
      Key: efc764b4de373d40c3e9b173c0ee3a47
      Iterations: 4096
    DES_CBC_MD5
      Key: 9ec1cbd9163da72a
      Iterations: 4096
  OlderCredentials:
  ServiceCredentials:
  Salt: ADATUM.COMkrbtgtcontoso
  DefaultIterationCount: 4096
  Flags: 0

Full RODC Support

Database files (ntds.dit) originating from RODCs are now fully supported:

Get-ADDBAccount -DatabasePath 'C:\ADBackup\ntds.dit' `
                -BootKey e8502c7e1efb193eec3b625981ad90ed `
                -All `
                -ExportFormat HashcatNT |
    Where-Object NTHash -ne $null

Sample output:

john:92937945b518814341de3f726500d4ff
DMZ-WWW$:c53a1d6ce3b391432863073cea763915
krbtgt_20781:06bc0b46fa3ea0d2d28168366d61053b
DMZ-RODC$:8a6cf405873a668b2f4ab847a0450cc1

Under the Hood

• PowerShell Core 7 and .NET SDK are now supported on the Windows platform.
• All applicable resources, including the PowerShell module, NuGet packages, binaries, and scripts are digitally signed.
• Pure CLR assemblies are built deterministically.
• Performance improvements (more yet to come).

See the Changelog for a more detailed list of new features.

DSInternals PowerShell Module

• The module is available in the PowerShell Gallery.
• As an alternative, the attached DSInternals_v6.0.zip file can be used for offline module installation.

NuGet Packages

Official binary packages are available in the NuGet Gallery.

DSInternals PowerShell Module 5.4.3

Notable Changes

Encrypted Windows LAPS Password Recovery

The Get-ADDBAccount cmdlet can now decrypt all Windows LAPS passwords using KDS Root Keys in offline mode, including msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory, msLAPS-EncryptedDSRMPassword, and msLAPS-EncryptedDSRMPasswordHistory attributes. This enables LAPS password retrieval even during Active Directory disaster recovery scenarios.

Example:

Get-ADDBAccount -DatabasePath 'C:\ADBackup\ntds.dit' -All -Properties LAPS |
    Select-Object -ExpandProperty LapsPasswords

Sample output:

ComputerName Account       Password                 Expires   Source
------------ -------       --------                 -------   -----
DC01         Administrator PluralTrimmingSuggest    2/3/2025  EncryptedDSRMPassword
DC02         Administrator RoundupFructoseRoundworm 2/3/2025  EncryptedDSRMPassword
ADFS01       WLapsAdmin    HerbsSkidUnproven        2/3/2025  EncryptedPassword
PC01         Administrator A6a3#7%eb!57be4a4B95Z433 1/24/2025 CleartextPassword

Note that a similar feature is available from Microsoft in Windows Insider build 27695 and later. This feature also requires RSAT to be installed and currently has some compatibility issues with VM Generation ID.

Offline Golden dMSA

The Get-ADDBServiceAccount cmdlet now retrieves both msDS-GroupManagedServiceAccount (gMSA) and msDS-DelegatedManagedServiceAccount (dMSA) object types from ntds.dit files and calculates their current managed passwords using KDS Root Keys.

Example:

Get-ADDBServiceAccount -DatabasePath 'C:\ADBackup\ntds.dit'

Sample output:

DistinguishedName: CN=svc_adfs,CN=Managed Service Accounts,DC=contoso,DC=com
Sid: S-1-5-21-2468531440-3719951020-3687476655-1109
Guid: 53c845f7-d9cd-471b-a364-e733641dcc86
SamAccountName: svc_adfs$
Description: ADFS Service Account
Enabled: True
Deleted: False
UserAccountControl: WorkstationAccount
SupportedEncryptionTypes: RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
ServicePrincipalName: {http/login.contoso.com, host/login.contoso.com}
WhenCreated: 9/9/2023 5:02:05 PM
PasswordLastSet: 9/9/2023 5:02:06 PM
ManagedPasswordInterval: 30
ManagedPasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=9/9/2023 10:00:00 AM (L0=361, L1=26, L2=24)
ManagedPasswordPreviousId:
KDS Derived Secrets
  EffectivePasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=6/25/2025 8:00:00 PM (L0=363, L1=11, L2=29)
  NTHash: 0b5fbfb646dd7bce4f160ad69edb86ba
  Kerberos Keys
    AES256_CTS_HMAC_SHA1_96
      Key: 5dcc418cd0a30453b267e6e5b158be4b4d80d23fd72a6ae4d5bd07f023517117
      Iterations: 4096
    AES128_CTS_HMAC_SHA1_96
      Key: 8e1e66438a15d764ae2242eefd15e09a
      Iterations: 4096

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Known Issues

The PowerShell module was originally released under version 5.4.1, but had to be re-packaged as 5.4.3, due to a broken signature of Microsoft's NuGet packages. The release of DSInternals Chocolatey and NuGet packages has been postponed until this issue gets resolved.

DSInternals PowerShell Module 5.3

Notable Changes

• Resolved an issue with parsing the unixHomeDirectory attribute values.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

DSInternals PowerShell Module 5.2

Notable Changes

• Added the Set-ADDBAccountControl cmdlet for offline modification of the userAccountControl attribute flags.
• The New-ADDBRestoreFromMediaScript cmdlet has a new parameter called -PostInstallScriptPath.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.

DSInternals PowerShell Module 5.1

Notable Changes

• Added the Get-ADDBDnsZone cmdlet for reading the list of AD-integrated DNS zones from a ntds.dit file.
• The New-ADDBRestoreFromMediaScript cmdlet has a new parameter called -SkipDNSServer, which prevents the DNS Server role from being installed on the restored domain controller.

See the Changelog for a more detailed list of new features.

PowerShell Module

Standalone module for offline installation and for legacy PowerShell versions is attached. See the Installation Notes before proceeding.

PowerShell Gallery

The PowerShell module is also available on Microsoft's PowerShell Gallery.

Chocolatey

An official Chocolatey package of the DSInternals PowerShell Module is also available. Note that due to a strict approval process, the newest version of the package might appear with some delay.

NuGet Gallery

Official binary packages are available at NuGet Gallery.