LinuxCommandLibrary

impacket-addcomputer

Add computer accounts to Active Directory

TLDR

View documentation for the original command

$ tldr addcomputer.py
copy

SYNOPSIS

impacket-addcomputer [domain/user[:password]] [options] computername$

PARAMETERS

-h, --help
    Show help message and exit

-debug
    Enable DEBUG output

--use-ldaps
    Use LDAPS instead of LDAP (port 636)

-target-ip IP
    Target IP address (overrides resolver)

-dc-ip IP
    Domain Controller IP address

-domain DOMAIN
    Domain name

-user USER
    Domain username

-password PASS
    User password

-hashes LMHASH:NTHASH
    NTLM hashes for pass-the-hash

-aesKey HEXKEY
    AES encryption key (hex)

-k
    Use Kerberos auth from ccache

-no-pass
    Don't prompt for password (with -k)

-computer-pass PASS
    Password for new computer account (default: random)

DESCRIPTION

impacket-addcomputer is a Python-based tool from the Impacket suite for creating new computer (machine) accounts in Microsoft Active Directory domains via LDAP. It is commonly used in penetration testing and red team operations to enable persistence, lateral movement, or attacks like Resource-Based Constrained Delegation (RBCD).

By authenticating with domain credentials possessing Create Computer objects privileges (e.g., Domain Admins or delegated rights), the tool adds a new computer object, sets a servicePrincipalName (SPN) like HOST/computername, and configures a password (random or user-specified). The computername must end in $ to indicate a machine account.

It supports NTLM, Kerberos (-k), pass-the-hash (-hashes), and AES keys for authentication, targeting a specific Domain Controller (-dc-ip). Successful execution returns the new account's password and DN, facilitating further exploitation such as forging Kerberos tickets with tools like impacket-getST.

Primarily for offensive security, it requires network access to a DC port 389/636 and appropriate perms; misuse in production can lead to domain compromise.

CAVEATS

Requires LDAP access to DC and 'Create Computer objects' privilege. Computername must end in $. Not for production use; intended for pentesting. Fails if quota exceeded or naming conflicts.

EXAMPLE

impacket-addcomputer 'domain/user:Pass123!' -dc-ip 10.10.10.10 -computer-pass 'NewPass123$' TEST$
Creates TEST$ account with specified password.

REQUIREMENTS

Python 3, Impacket library (≥0.9.24), network to DC:389/636. Install via pip install impacket.

HISTORY

Developed as part of Impacket toolkit by SecureAuth (now Fox-IT) around 2016-2018. Evolved for modern AD attacks like RBCD; integrated into major pentest distros like Kali Linux.

SEE ALSO

impacket-GetADUsers, impacket-secretsdump, ldapsearch(1), samba-tool(1)

Copied to clipboard