(01-03-2020, 05:19 PM)DanielG Wrote: "My thinking was to crack the old NTLM hash, key it into AD"
I think you can change it back without knowing what the old password was. You can set the old NTLM hash with
lsadump::ChangeNTLM /server:AD.local /user:accountname /old:current.hash /new:hash.you.found.in.old.file
then update those 50 devices then set the new password back.
this way you won't need to run hashcat to find the old password
This is exactly how I resolved the issue. Thanks for posting the information. However, I used the DSInternals version of this. It allowed me to inject the old hash directly into the domain controller that was the first one listed that the locked out devices were replicating against.
Thanks so much for all of the help! This was a huge relief to gain access back into the equipment. This was far easier than traveling across the country and hoping local console access would have worked.
Thanks again!
Matt