Bypassing all Active Directory password policies with one RPC call (with PoC)

https://simpity.eu/blog/ad-password-policies-security-theater
Everyone is celebrating Microsoft's NTLM deprecation plan. And I think there's a major blind spot in the conversation.
NTLM the protocol and NTLM the hash are two completely different things. Microsoft is killing the protocol. Good. But the hash, which is how Windows stores your password in Active Directory, stays. Kerberos uses the exact same hash. It's not going anywhere.
And there's a Windows RPC function called SamrSetInformationUser that lets you write that hash directly into AD without ever submitting a plaintext password. Which means every password complexity rule you've configured (GPO policies, custom filters, breached-password dictionaries) gets bypassed completely. Windows never sees the password, so it never validates it.
I put together two PowerShell scripts you can test in your own lab: one that demonstrates the attack, and one that defends against it by hooking SamrSetInformationUser inside the LSASS process at runtime.
The interesting part isn't the attack itself. It's that killing the NTLM protocol doesn't fix this, because the attack was never about the protocol. It targets how the hash gets written to the directory. That problem survives the migration to Kerberos completely intact.
If you're building in the ITDR, PAM, or AD security space, I think this is worth your time.