Michael Grafnetter

@gw1966 Did they perform a password change or reset operation? Only admins can do a reset and thus bypass password history. > Hi. I have another enhancement request, we noticed...

@gw1966 As a quick solution, you could compare historical hashes of an account using [HashEqualityComparer](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Src/DSInternals.Common/Cryptography/HashEqualityComparer.cs).

Hello @gw1966, I have a feeling that we are mixing too many things into this one thread. Another option would be doing something like this: ```powershell $accounts = Get-ADReplAccount -All...

Thanks. DSInternals actually uses direct MS-DRSR RPC calls instead of utilizing ntdsapi.dll. The code would thus need to be implemented in C++ in the [DRSConnection class](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Src/DSInternals.Replication.Interop/DrsConnection.cpp) and by calling IDL_DRSAddSidHistory.

Hi @arnydo , for this to work, one would have to implement XML serialization in the DSAccount class and its subclasses. The default one does not go deep enough. But...

It is recommended to have a dedicated Privileged Access Workstation for this purpose. In a multi-forest environment, you could either use `runas /netonly...` or `Get-ADReplAccount -Credential...` to connect to DCs...

Well, I still want to implement Export-CliXml support, because I have never done such thing and I want to learn how to do it. So I will leave this issue...

Hi @ciyi , it is on the TODO list, but with a low priority, as this info can be retrieved from a ntds.dit file using the built-in `dsamain.exe` + `Get-ADPrincipalGroupMembership`.

Yes, you need RSAT (and AD LDS I think). But you can install them on Windows 7-10.

Hi @chlob, could you please check that 2 such DLL file are contained in the module you have acquired and that they are unblocked?