The privilege without "-All" at the end cannot extract sensitive password hash data (There are commercial directory data sync products, like Microsoft MIIS/ILM/FIM/MIM that rely on that privilege. You need a special LDAP privilege assigned to an AD account for this, which called is "DS-Replication-Get-Changes-All" (v=vs.85).aspxĭifferenciation: The DIRSYNC control can also be used with another slightly different privilege called "DS-Replication-Get-Changes" (whithout the "-All" at the end). the Microsoft Asure AD password sync - it syncs your company AD passwords with Azure cloud passwords by transfering the hashes.
This is not a Microsoft internal secret, even 3rd party implementations exist, e.g.: (although this link overdoes it a bit, by claiming this to be a hack) - You are not hacking AD or LDAP protocol with this, you are manually granting an AD privilege beforehand that is not there by default.Ī legitimate use of this DS-Replication-Get-Changes-All privilege is e.g. You need to use a special AD access permission (DS-Replication-Get-Changes-All) and an officially documented Microsoft protocol (the AD replication protocol). There is another official way to read hashes from AD or AD LDS and its officially been there since at least Server 2003. You do not need to process the DIT file to aquire hashes from AD or AD LDS, there is some protocol access as well.Įven though a regular LDAP-reads on "userpassword" Attribute (as you can do on other directory products) will always be blocked completely in AD,
0 kommentar(er)
