Bypassing all Active Directory password policies with one RPC call (with PoC)

https://simpity.eu/blog/ad-password-policies-security-theater Everyone is celebrating Microsoft's NTLM deprecation plan. And I think there's a major blind spot in the conversation. NTLM the protocol and NTLM the hash are two completely different things. Microsoft is killing the protocol. Good. But the hash, which is how Windows stores your password in Active Directory, stays. Kerberos uses the exact same hash. It's not going anywhere. And there's a Windows RPC function called SamrSetInformationUser that lets you write that hash directly into AD without ever submitting a plaintext password. Which means every password complexity rule you've configured (GPO policies, custom filters, breached-password dictionaries) gets bypassed completely. Windows never sees the password, so it never validates it. I put together two PowerShell scripts you can test in your own lab: one that demonstrates the attack, and one that defends against it by hooking SamrSetInformationUser inside the LSASS process a