DSInternals
DSInternals copied to clipboard
MichaelGrafnetter
Error handling for illegal characters
Hi Michael,
We use this command in our environment: Get-ADDBAccount -All -DatabasePath $ntds -BootKey $Key | Test-PasswordQuality | Out-File report.txt
During a password audit, DSInternals completed Get-ADDBAccount successfully, but failed when piping results to Test-PasswordQuality. Error code is:
Get-ADDBAccount: Value cannot be null. Parameter name: value At line:1 char:1
- Get-ADDBAccount -All -DatabasePath $ntds -BootKey $Key | Test-PasswordQuality | Out-File report.txt
-
+CategoryInfo : Not Specified: (:) [Get-ADDBAccount}, ArugmentNullException + FullyQualifiedErrorID : System.ArgumentNullException,DSINTERNALS.Powershell.Commands.GetADDBAccountCommand
We found a malformed object in Active Directory. Some of the attributes have been obscured, but please notice illegal character in DN and absence of name or full FQDN. This issue, as a side note, was caused by improper ASDI edit configuration. DistinguishedName : CN=backslash (the character is omitted by Github so I had to type it out) DNSHostName : .domain Enabled : True Name : ObjectClass : computer ObjectGUID : {Redacted, but valid} SamAccountName : $ SID : {Redacted, but valid} UserPrincipalName :
After removing the object from AD, DSInternals is working as expected again.
Wanting to bring this to your attention in case there is a way to allow the command to continue while excluding any AD object with illegal characters.
Thanks for your time.
Hi @sdbruce1 , would you please be able to provide a PowerShell command, that would create such an account with a malformed DN?
Hi Michael, after testing in my lab, I was unable to use Powershell to do such. A member of my team was able to replicate the the malformed object by using ASDI edit. We are investigating an internal tool that has caused that behavior.
@sdbruce1 I was still not able to replicate the issue:
Could you please give me more hints on creating such an account? Could you please also share the exception stack trace?
Hi Michael, The account you have listed is a mirror of the account we saw. The issue comes when you run this sequence in powershell: Get-ADDBAccount -All -DatabasePath $ntds -BootKey $Key | Test-PasswordQuality | Out-File C:\users\user\desktop\dsi.txt
It seemed to me that Get-ADDBAccount functions but the pipe to Test Password quality is when we saw value cannot be null. The \ acted as an escape character and resulted in error.