Get-ADDBAccount output is empty and does not throw an error

[jcasale]

I am using a fully patched version of Windows Server 2022 (10.0.20348.1607), PowerShell 5.1, and DSInternals v4.9.

I am not getting any output or any errors when running Get-ADDBAccount against a copy of the ntds.dit file.

The procedure I am using is:

1. Create a snapshot:

   C:\>diskshadow
   DISKSHADOW> SET CONTEXT PERSISTENT
   DISKSHADOW> SET METADATA c:\Windows\TEMP\metadata
   DISKSHADOW> WRITER VERIFY {afbab4a2-367d-4d15-a586-71dbb18f8485}
   DISKSHADOW> WRITER VERIFY {b2014c9e-8711-4c5c-a5a9-3cf384484757}
   DISKSHADOW> BEGIN BACKUP
   DISKSHADOW> ADD VOLUME C: ALIAS shadow_vol_c
   DISKSHADOW> CREATE
   DISKSHADOW> EXPOSE %shadow_vol_c% Z:
   DISKSHADOW> END BACKUP
   DISKSHADOW> EXIT

2. Copy the ntds.dit and system registry file:

   C:\dump> copy Z:\Windows\System32\ntds.dit .
   C:\dump> copy Z:\Windows\System32\config\SYSTEM .

3. Execute the cmdlet

   PS C:\dump> $key = Get-BootKey -SystemHiveFilePath .\SYSTEM
   PS C:\dump> Get-ADDBAccount -All -BootKey $key -DatabasePath .\ntds.dit

There is no output nor any error produced by the cmdlet, any ideas as to what I can check?

[MichaelGrafnetter]

Hi @jcasale , you are doing several mistakes here:

1. You have copied the initial database (template used by DC installer), which only contains the schema, but no user accounts. The database you are looking for is located in the C:\Windows\NTDS directory by default.
2. You are not copying the corresponding transaction log files.
3. If you are on a DC, create an IFM backup instead of a plain volume shadow copy.