With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.
Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:
- Domain FQDN (e.g. ‘IAMTEC.NET’)
- Domain NBT (e.g. ‘IAMTEC’)
- Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
- Sam Account Name (e.g. ‘jorge’)
- Account Name (e.g. ‘IAMTEC\jorge’)
- Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
- Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs - ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs - Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
–
The following ACEs are considered powerful:
- Full Control
- Password Reset Control Access Rights
- Control Access Right In General
- WriteOwner (Allows to write the owner and that allows to write the DACL)
- Write DACL
- Write Property In General
- Write Property For “lockoutTime” (Unlocking Account)
- Write Property For “msDS-AllowedToDelegateTo” (Adding/removing accounts for account based delegation)
- Write Property For “msDS-AllowedToActOnBehalfOfOtherIdentity” (Adding/removing accounts for resourced based delegation)
- Write Property For “servicePrincipalName” (Adding/removing SPNs)
- Write Property For “userAccountControl” (Managing security/delegation settings, enabling/disabling account)
–
When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!
While the script is running it logs every to a log file. which is in the same folder as the script itself.
–
This script requires:
- PowerShell Module: ActiveDirectory
- Basic User Permissions, Nothing Special!
–
Scan/Check All Accounts In The AD Forest And Create The Report
.\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1
–
The script has been tested in three different AD forests:
- AD forest with a Single AD domain with less than 500 accounts and quite some account config
- AD forest with a Single AD domain with approx. 150000 accounts and less account config
- AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config
–
Figure 1a: Sample Output Of The Log File
–
Figure 1b: Sample Output Of The Log File
–
Figure 1c: Sample Output Of The Log File
–
Figure 1d: Sample Output Of The Log File
–
To open the CSV on another computer and display it in GridView, execute the following command:
Import-CSV <Full Path To The CSV File> | Out-Gridview
Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView
–
To get the script, see: Scan And Check All Accounts In AD Forest – Object Level Permissions Info
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-