Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: 0e5cc052ff

Fetching latest commit…

Cannot retrieve the latest commit at this time

..
Failed to load latest commit information.
bin
src
README

README

Use at your own risk. You don't need to execute this on a DC!


This will dump the Active Directory table in tsv format, from an offline
NTDS.dit file. This contains an ESENT (Extensible Storage Engine) database.
Ways to grab this file are vssadmin (win2k3/win2k8) or ntbackup (win2k).
"vssadmin create shadow /for=C:"
then copy .dit, .log, .chk, .edb and .jrs files from snapshot path
finally commit the logged operations to get a clean base:
"esentutl /r edb /d /i /8"

Some interesting column numbers, not necessary to use the tool:
"MSysObjects" contains the metadata, "datatable" is the actual AD table, "sd_table" contains the security descriptors
"ATTm3" is the Common-Name
"ATTm11" is the Organizational-Unit-Name
"ATTm1376281" is the Domain-Component
"ATTm131532" is the LDAP-Display-Name (of attributes)
"ATTm590480" is the User-Principal-Name
"ATTc131102" is the Attribute-ID (columns) column
"ATTj591540" is the msDS-IntId column, for specific attribute ids (exchange...)
"ATTk590689" is the Pek-List
"ATTm590045" is the usernames column,
"ATTk589879" is the DBCS-Pwd column, encrypted LMHash,
"ATTk589914" is the Unicode-Pwd column, encrypted NTHash,
"ATTr589970" is the Object-Sid column (last int32 of the struct is the RID)
"ATTr590433" is the Sid-History column
"ATTj589832" is the User-Account-Control column
"ATTr589949" is the Supplemental-Credentials column (storing the reversible encrypted passwords)
"ATTb590606" is the Object-Category column (for a given object)
"ATTb590607" is the Default-Object-Category column (index of an object category schema attribute)
"ATTp131353" is the NT-Security-Descriptor (in fact an index, big endian, to sd_id from sd_table)
"ATTk589972" is the Schema-ID-GUID (found in ACE InheritedObjectTypes)
"ATTm590164" is the Rights-Guid (found in ACE ObjectTypes)
"Ancestors_col" is the multi-valued int32 DN ancestors 
Exchange ms-Exch-Mailbox-Security-Descriptor: it depends. 
Look for it either in Attribute-ID or in msDS-IntId



Something went wrong with that request. Please try again.