Migrating Active Directory Passwords

Wondering if anyone has had any experience or knows of a beginning PS topic of research regarding Extracting/Migrating Active Directory password hashes.

Summary:

My company hosts a remote environment where a client can RDP / Citrix into our terminal server cluster to access their hosted application resources. Often, these clients have their own local Active Directory Domain with their own set of passwords. These clients frequently get confused where they believe they use their local AD account to try to authenticate to their remote hosted environment and not sure why they can’t login.

End game is that I would like to have something that will extract their hashed password on their local domain and automatically import that hash to their remote hosted environment so both accounts are always in sync.

I have no desire to recover the original password, but just to move the hash from one AD structure to another.

I have been reading about the unicodePwd password attribute, but not sure if this is the correct starting point regarding this problem.

https://social.technet.microsoft.com/Forums/ie/en-US/63e3cf2d-f186-418e-bc85-58bdc1861aae/view-password-hash-in-active-directory?forum=winserverfiles

 

 

 

 

 

At least in the AD migration you can use this: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974435(v=ws.10)?redirectedfrom=MSDN

 

You can use MIM to sync user accounts from one AD domain to another (including passwords)