Set Active Directory password hash to a SHA1 value?

I'm syncing users from an external开发者_运维知识库 system into ours. I need to set the user's password in our Active Directory.

I am only provided SHA1's of the external user's passwords and setPassword will hash whatever I is input.

• Is setting the User's unicodePwd the actual hash field?
  • If so, can I just set it to the provided hash?
  • If not, how/can I set the hash being stored by Active-Directory?

AD does not store just one type of hash. When you change your password, the DC receives the plaintext version of the password, checks its complexity and then generates and stores MD4, MD5, PBKDF2 (4096 * SHA1) and several other kinds of hashes. It is because each authentication mechanism (NTLM, Kerberos, Digest,...) uses a different hash function and AD needs to support them all.

The password hashes are stored in these AD attributes: unicodePwd, dBCSPwd, lmPwdHistory, ntPwdHistory and supplementalCredentials. For security reasons, you cannot read them through LDAP or ADSI. But I have recently found a way to retrieve them and created a PowerShell cmdlet that can do that:

Get-ADReplAccount -SamAccountName John -Domain Contoso -Server LON-DC1

There is also a poorly documented way to push MD4 hashes (AKA NT hashes) to workstation or AD through the legacy SAMR protocol. As there are no built-in commands that expose this functionality, I have created PowerShell cmdlets to do that, too.

To generate a NT hash, you can use this PowerShell command:

$hash = ConvertTo-NTHash (Read-Host -AsSecureString)

And finally, this command pushes the NT hash to AD:

Set-SamAccountPasswordHash -SamAccountName john -Domain ADATUM -NTHash $hash -Server dc1.adatum.com

These commands can be used to migrate passwords between local and domain accounts or between AD and Samba. But be careful, Kerberos-AES and WDigest authentication will not work with this account, only NTLM and Kerberos-RC4.

As far as I understand you can't set unicodePwd to the actual hash field. You can use the userPasswd as you want for your own check but it's not used bys Active-Directory.

As far as I know, what you want is not possible. You can change/set passwords in AD using at least three different protocols:

• LDAP (actually LDAPS)
• Kerberos Change Password Protocol
• NTLM - I am not sure if the latest versions of AD still support it

Am 100% sure that LDAP cannot be used, but you may want to check the other two, as there may be some way to do it with them.