DSInternals icon indicating copy to clipboard operation
DSInternals copied to clipboard

Published 20 hours ago verified publisher icon MichaelGrafnetter

set-samaccountpasswordhash : Access is denied

Open xorded opened this issue 2 years ago • 7 comments

hi

i can execute the Get-ADReplAccount without an issue. the user being used is an ad domain admin

set-samaccountpasswordhash -domain westworld -samaccountname adadminuser -nthash ba17e001e5467d85d16ae7247947929c -server W8AAAADS01

set-samaccountpasswordhash : Access is denied At line:1 char:1

  • set-samaccountpasswordhash -domain westworld -samaccountname adadminuser ...
  •   + CategoryInfo          : NotSpecified: (:) [Set-SamAccountPasswordHash],
 UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,DSInternals.P
 owerShell.Commands.SetSamAccountPasswordHashCommand

 any ideas on why this is happening or how to solve it ?

xorded avatar Feb 08 '23 18:02 xorded

Hard to tell. Is the powershell.exe elevated (Run as Administrator)?

MichaelGrafnetter avatar Feb 08 '23 18:02 MichaelGrafnetter

Hard to tell. Is the powershell.exe elevated (Run as Administrator)?

yes

xorded avatar Feb 08 '23 18:02 xorded

OK. What about Get-SamPasswordPolicy -Domain westworld, does it work? And net user /domain? Had NetCease been applied to that environment? Or any other hardening? Does the Security log on the DC tell you anything, if you enable all Advanced Auditing categories?

MichaelGrafnetter avatar Feb 08 '23 18:02 MichaelGrafnetter

MinPasswordLength : 8 ComplexityEnabled : True ReversibleEncryptionEnabled : False MaxPasswordAge : 31.00:00:00 MinPasswordAge : 8.00:00:00 PasswordHistoryCount : 24

net user also works fine, i even changed the password expiry with wmic and same domain admin user

its a red team so i actually stopped the auditing, i found another way to set the hash with smbpasswd but i am just confused as to what would block your set-samaccountpasswordhash

xorded avatar Feb 08 '23 19:02 xorded

That is strange. I only have a limited AD lab, just re-tested the cmdlet and had no issues. If you figure it out, keep me posted, pls. I would also be curious what mimikatz lsadump::setntlm does, as it seems to be using the same function.

MichaelGrafnetter avatar Feb 08 '23 20:02 MichaelGrafnetter

do you know what type of permissions are needed by set-samaccountpassword hash , maybe i can check the permissions or something

xorded avatar Feb 09 '23 04:02 xorded

Only the Reset password permission should be required. Just tested it in a clean AD environment with a fully updated Windows Server 2022 21H2 DC:

image

Command:

Set-SamAccountPasswordHash -SamAccountName joe -Domain contoso -NTHash e19ccf75ee54e06b06a5907af13cef42 -Server dc.contoso.com

MichaelGrafnetter avatar Feb 12 '23 18:02 MichaelGrafnetter