Author Posts

September 28, 2017 at 1:53 pm

trying to see if anyone succeeded in pulling this from powershell... There is a constructed attribute for a read only domain controller , which contains details about the cached accounts in it, msds-revealedusers .see command below ...................................................... Get-ADComputer Readonlydomaincontrollername -Server NAMEOFDOMAIN -Properties msds-revealedusers | select -ExpandProperty msds-revealedusers.

its a binary data, but trying to convert it into readable value as you see in the GUI in ADUC for the Read only domain controller ...

B:96:A00009001B0000004DCAD20F03000000F6781F56E3FEDD48818E932B355D4113CF836322000000009F4FAC1C00000000:CN=USERNAMEOU=OU1,OU=DC,OU=WHATEVER,OU=WHENEVER,DC=DC,DC=DOMAIN,DC=com

above is the data you get out with powershell , but the actual values via gui should be something with the lmpwdhistory,ntpwdhistory etc

https://msdn.microsoft.com/en-us/library/dd240133.aspx

September 28, 2017 at 5:11 pm

i found more and more about it, but no way or knowledge how to decode this. Only ADFIND is the tool which can decode this as of now.....

September 28, 2017 at 5:19 pm

searching more and more this is a "An octet string that contains a binary value and a distinguished name (DN)"

September 28, 2017 at 5:24 pm

yes i saw the frickesoft thing as well as the adfind stuff to decode....i really really wish there was a way from powershell to do this and read the stuff...