<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Password Synchronization from one Active Directory Domain to another using DSInternals

Published on
6,589 Points
189 Views
4 Endorsements
Last Modified:
Editors:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
This article shows a process of synchronizing password from on Active Directory domain to another, even if in another forest

Introduction


Password synchronization is crucial during co-exists of Active Directory domains. Syncronising password allows users to seamlessly log into the new environment. Password synchronization is a feature that most migration suites offer, usually at a pretty penny.


I have used DSInternals for various tasks when I have my security hat on, and one of those processes is detailed in my previous article. 


How to extract hashes from IFM backup

https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html


It is a fantastic Powershell library by Michael Grafnetter and should be part of your toolset if you do IT security for your profession.


My Approach


I have previously done this with ADMT to do the initial password migration and FIM 2010 R2 to keep passwords in sync.


Another way is to use DSInternals and extract the hash from the source domain then set it on the target domain.


Below is a Powershell script I have put together. Note that I have purposefully left out function/parameters/checking if the hash is current etc. to hopefully promote collaboration on the repo.


Please see the comments inside the script for an explanation of each step. In short, it gets hashes from source domain and based on a group, sets it on the appropriate users.


Install-Module -Name DSInternals

# Create your credentials with these commands
# $credential = Get-Credential;
# $credential | Export-CliXml -Path 'C:\Temp\cred.xml';

# Configure your Source Domain configuration
$sourceDomainNetBIOS       = 'Domain1';
$sourceDomainFQDN          = 'Domain1.com';
$sourceDomainDN            = 'DC=Domain1,DC=com';
$sourceDomainCredential    = Import-CliXml -Path 'C:\Temp\Domain1.xml';

# Configure your Target Domain configuration
$targetDomainNetBIOS       = 'Domain2';
$targetDomainFQDN          = 'Domain2.com';
$targetDomainDN            = 'DC=Domain2,DC=com';
$targetDomainCredential    = Import-CliXml -Path 'C:\Temp\Domain2.xml';
$syncGroup                 = 'Some Group';

# Get Source Domain hashes
$hashes = Get-ADReplAccount -All -NamingContext $sourceDomainDN -Server $sourceDomainFQDN -Credential $sourceDomainCredential;

# The group of users to sync passwords for
$users = Get-ADGroupMember $syncGroup -server $targetDomainFQDN -Credential $targetDomainCredential;

# Loop through these users
foreach ($user in $users)
{
# Get the hash of the user in the hashes collection
$currentUserHash = $hashes | ? {$_.saMAccountName -eq $user.SamAccountName};

# Convert hash to string
$NTHash = ([System.BitConverter]::ToString($currentUserHash.NTHash) -replace '-','').ToLower();

# Set target domain password to the source domain hash
Set-SamAccountPasswordHash -SamAccountName $user.SamAccountName -Domain $targetDomainNetBIOS -NTHash $NTHash -Server $targetDomainFQDN -Credential $targetDomainCredential;
}


You can also clone it if you prefer

git clone https://svermaak@bitbucket.org/snippets/svermaak/kezMGE/password-sync.git


I hope you found this tutorial useful. You are encouraged to ask questions, report any bugs or make any other comments about it below.

 

Note: If you need further "Support" about this topic, please consider using the Ask a Question feature of Experts Exchange. I monitor questions asked and would be pleased to provide any additional support required in questions asked in this manner, along with other EE experts...  

 

Please do not forget to press the "Thumb's Up" button if you think this article was helpful and valuable for EE members.


It also provides me with positive feedback. Thank you!



4
0 Comments

Featured Post

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month