-
-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error handling for illegal characters #149
Comments
Hi @sdbruce1 , would you please be able to provide a PowerShell command, that would create such an account with a malformed DN? |
Hi Michael, after testing in my lab, I was unable to use Powershell to do such. A member of my team was able to replicate the the malformed object by using ASDI edit. We are investigating an internal tool that has caused that behavior. |
@sdbruce1 I was still not able to replicate the issue: |
Hi Michael, It seemed to me that Get-ADDBAccount functions but the pipe to Test Password quality is when we saw value cannot be null. The \ acted as an escape character and resulted in error. |
Hi Michael,
We use this command in our environment:
Get-ADDBAccount -All -DatabasePath $ntds -BootKey $Key | Test-PasswordQuality | Out-File report.txt
During a password audit, DSInternals completed Get-ADDBAccount successfully, but failed when piping results to Test-PasswordQuality. Error code is:
Get-ADDBAccount: Value cannot be null.
Parameter name: value
At line:1 char:1
We found a malformed object in Active Directory. Some of the attributes have been obscured, but please notice illegal character in DN and absence of name or full FQDN. This issue, as a side note, was caused by improper ASDI edit configuration.
DistinguishedName : CN=backslash (the character is omitted by Github so I had to type it out)
DNSHostName : .domain
Enabled : True
Name :
ObjectClass : computer
ObjectGUID : {Redacted, but valid}
SamAccountName : $
SID : {Redacted, but valid}
UserPrincipalName :
After removing the object from AD, DSInternals is working as expected again.
Wanting to bring this to your attention in case there is a way to allow the command to continue while excluding any AD object with illegal characters.
Thanks for your time.
The text was updated successfully, but these errors were encountered: