Description: have windows server 2016 acting as an AD controller

ip=192.168.59.240 dc=DTEST,dc=RDI login='Администратор' pass='passw@rd'

On another server in another domain, but on the same network running Centos OS, there is a user dictionary with password hashes:

 users_hashes = {'user1': 'somenthash', 'user245': 'somenthash'}

Question: how to use python ldap to establish a connection with AD, and to bring all users and their -NTHash into line with the dictionary? (The dictionary is not static, it will change over time, users will be deleted and added)

    1 answer 1

    Preliminary answer: this will not work.

    It is impossible to read the attribute storing the user's password, working directly with LDAP AD, by analogy with OpenLDAP, Sun Directory, etc.

    Due to the internal security device AD, this attribute can only be changed by a special смены пароля mechanism.

    There are options to read the password hash, but they require "intervention" in the domain controller. For example, coohackers know how to pull hashes from the NTDS.dit file .

    Shl but, as they say, it is not accurate. Perhaps I am behind the times in this matter.

    • You can change the password attribute in poke through: 'Set-ADAccountPasswordHash -SamAccountName p_morozov -Domain test -Server test -NTHash' xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx '', can this command be applied via python? - Andrew
    • @ Andrew call remotely, or if the python on the server is installed? And if we are talking about the ability to change the password, then it seems that you can directly use it from the python, it is not necessary to use it. - de_frag
    • In general, the thought was, ad controller on the same machine, the script runs on another, the question is whether you can bind AD machine and edit users? in the end, just make account matching. - Andrei
    • @ Andrei, yes, everything is possible. You can bend to AD like this: binddn = "Администратор@DTEST.RDI" - de_frag
    • Thanks, I will continue to go crazy, before I tried to pick it up to openldap - Andrei