Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Delegation Of Control’ Category

(2019-11-18) Active Directory Security Scan Of Accounts (Part 4)

Posted by Jorge on 2019-11-18


With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
    REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
    REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
  • ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
  • Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs

The following ACEs are considered powerful:

  • Full Control
  • Password Reset Control Access Rights
  • Control Access Right In General
  • WriteOwner (Allows to write the owner and that allows to write the DACL)
  • Write DACL
  • Write Property In General
  • Write Property For “lockoutTime” (Unlocking Account)
  • Write Property For “msDS-AllowedToDelegateTo” (Adding/removing accounts for account based delegation)
  • Write Property For “msDS-AllowedToActOnBehalfOfOtherIdentity” (Adding/removing accounts for resourced based delegation)
  • Write Property For “servicePrincipalName” (Adding/removing SPNs)
  • Write Property For “userAccountControl” (Managing security/delegation settings, enabling/disabling account)

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

This script requires:

  • PowerShell Module: ActiveDirectory
  • Basic User Permissions, Nothing Special!

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1

The script has been tested in three different AD forests:

  • AD forest with a Single AD domain with less than 500 accounts and quite some account config
  • AD forest with a Single AD domain with approx. 150000 accounts and less account config
  • AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

image

Figure 1a: Sample Output Of The Log File

image

Figure 1b: Sample Output Of The Log File

image

Figure 1c: Sample Output Of The Log File

image

Figure 1d: Sample Output Of The Log File

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

image

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

To get the script, see: Scan And Check All Accounts In AD Forest – Object Level Permissions Info

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation Of Control, IT Pro Tools, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-15) Active Directory Security Scan Of Accounts (Part 3)

Posted by Jorge on 2019-11-15


With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At NC Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • DS Repl Chng Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • DS Repl Chng All Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • Migr SID History Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")

When the script finishes, it produces a CSV report that contains every account in the AD forest that can authenticate (user, computer, gMSA, inetOrgPerson) and potentially be a threat, and it displays that CSV in a GridView automatically. The CSV can of course also be used in Excel if needed. With this information you may be able to remove or fix configurations and/or get an idea how things look like to mitigate risks as much as possible!

While the script is running it logs every to a log file. which is in the same folder as the script itself.

This script requires:

  • PowerShell Module: ActiveDirectory
  • Basic User Permissions, Nothing Special!

Scan/Check All Accounts In The AD Forest And Create The Report

.\Scan-And-Check-All-Accounts-In-AD-Forest_03_NC-Level-Permissions-Info.ps1

The script has been tested in three different AD forests:

  • AD forest with a Single AD domain with less than 500 accounts and quite some account config
  • AD forest with a Single AD domain with approx. 150000 accounts and less account config
  • AD forest with Multiple AD domains (Forest Root Domain, Child Domain and Tree Root Domain) with approx. respectively 4000, 25000 and 12000 accounts and less account config

image

Figure 1a: Sample Output Of The Log File

image

Figure 1b: Sample Output Of The Log File

image

Figure 1c: Sample Output Of The Log File

image

Figure 1d: Sample Output Of The Log File

To open the CSV on another computer and display it in GridView, execute the following command:

Import-CSV <Full Path To The CSV File> | Out-Gridview

image

Figure 2: Sample Output Of The CSV File Displayed In PowerShell GridView

To get the script, see: Scan And Check All Accounts In AD Forest – NC Level Permissions Info

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation Of Control, IT Pro Tools, PowerShell, Security, Security, Tooling/Scripting | Leave a Comment »

(2019-11-08) Active Directory Security Scan Of Accounts

Posted by Jorge on 2019-11-08


This month will have a serious security focus in scanning your AD to determine all kinds of account configurations, see relations between those configurations and mitigate any security risks due to combined configurations. A simple example can be an account with unconstrained delegation configured while it has a weak/compromised password, etc, etc.

To scan the accounts within an Active Directory forest, I will be releasing 5 PowerShell scripts.

[Script 1] .\Scan-And-Check-All-Accounts-In-AD-Forest_01_Basic-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “basic” account information that is related to security.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • User Principal Name  (e.g. ‘jorge@iamtec.nl’)
  • Display Name (e.g. Jorge de Almeida Pinto)
  • Enabled (e.g. TRUE or FALSE)
  • Locked (e.g. TRUE – At:<date/time> or FALSE – Never Locked or FALSE – Has Been Locked Before)
  • Account Expires On (e.g. <date/time> or NEVER)
  • Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
  • Pwd Never Expires (e.g. TRUE or FALSE)
  • Last Logon Timestamp (e.g. <date/time> or NEVER)
  • Last Logon (RWDC) (e.g. <date/time> or NEVER Or NOT AVAILABLE (On ‘<FQDN RWDC>’))

[Script 2] .\Scan-And-Check-All-Accounts-In-AD-Forest_02_Delegation-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Kerberos Delegation” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Service Principal Name(s) (e.g. <comma separated list of SPNs> or "No SPNs")
  • Acc Based Deleg Type (e.g. "No-Acc-Deleg" or "Acc-Unc-Deleg" or "Acc-Con-Deleg-AnyAuthN" or "Acc-Con-Deleg-KerbAuthN"
  • Acc Based Deleg To (e.g. <comma separated list of SPNs> or "No Delegated SPNs")
  • Res Based Deleg For (e.g. <comma separated list of user account names with type and domain listed> or "No-Res-Deleg"

[Script 3] .\Scan-And-Check-All-Accounts-In-AD-Forest_03_NC-Level-Permissions-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At NC Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • DS Repl Chng Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • DS Repl Chng All Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")
  • Migr SID History Perms (e.g. "<comma separated list of domain DNs> (<Assigned Security Principal>)" or "No Perms")

[Script 4] .\Scan-And-Check-All-Accounts-In-AD-Forest_04_Object-Level-Permissions-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Permissions At Object Level” related account information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Protected Group Membership (e.g. <comma separated list of group account names> or "No Memberships")
    REMARK: With protected groups, the focus is ONLY on default AD Protected Groups (e.g. BUILTIN\Administrators", "<DOMAIN>\Domain Admins", etc.)
    REMARK: if protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
  • ACE On AdminSDHolder (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs
  • Powerful ACEs On Objects (e.g. <comma separated list of objects with configured permissions> or "No ACEs")
    REMARK: If protected groups are listed then any ACEs for those protected groups are NOT listed to prevent an overload of ACEs
    REMARK: It will only look at explicit defined ACEs. Inherited ACEs are NOT listed to prevent an overload of ACEs

[Script 5] \Scan-And-Check-All-Accounts-In-AD-Forest_05_Account-And-Password-Hygiene-Info.ps1

Features:

With the PoSH script made available through this blog post you can scan and check ALL accounts in the AD forest to get “Account And Password Hygiene” related information.

Through LDAP queries, this PoSH script retrieves the following information for every account in the AD forest that is able to authenticate:

  • Domain FQDN (e.g. ‘IAMTEC.NET’)
  • Domain NBT (e.g. ‘IAMTEC’)
  • Domain DN (e.g. ‘DC=IAMTEC,DC=NET’)
  • Sam Account Name (e.g. ‘jorge’)
  • Account Name (e.g. ‘IAMTEC\jorge’)
  • Account Type (computer, inetOrgPerson, msDS-GroupManagedServiceAccount, trust (user), user)
  • Enabled (e.g. TRUE or FALSE)
  • Pwd Last Set On (e.g. <date/time> or "Must Chng At Next Logon")
  • Has Adm Count Stamp (e.g. TRUE or FALSE)
  • Delegatable Adm (e.g. TRUE or FALSE)
  • Does Not Req Pre-AuthN (e.g. TRUE or FALSE)
  • Has Sid History (e.g. TRUE or FALSE)
  • Has LM Hash (e.g. TRUE or FALSE)
  • Has Default Pwd (e.g. TRUE or FALSE)
  • Has Blank Pwd (e.g. TRUE or FALSE)
  • Uses DES Keys Only (e.g. TRUE or FALSE)
  • Has Missing AES Keys (e.g. TRUE or FALSE)
  • Pwd Rev Encrypt (e.g. TRUE or FALSE)
  • Pwd Not Req (e.g. TRUE or FALSE)
  • Pwd Never Expires (e.g. TRUE or FALSE)
  • Has Shared Pwd (e.g. TRUE – Domain Shrd Pwd Grp x Of y or FALSE)
  • Compromised Pwd (e.g. TRUE or FALSE)
  • Most Used Hash (e.g. <hash> (<count>) or N.A.)

Interested in this? Stay tuned!

Thanks!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), AD Queries, Blog Post Series, Delegation, Delegation Of Control, IT Pro Tools, Kerberos Constrained Delegation, Last Logon Information, Passwords, PowerShell, Replication, Security, Tooling/Scripting | Leave a Comment »

(2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL

Posted by Jorge on 2014-09-13


PowerShell Code to check if the DACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithDACLInCanonicalOrder = @() $OUsWithDACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath If ($aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The DACL In Canonical Order" $ouObj."List Of OUs That DO Have The DACL In Canonical Order" = $ou $OUsWithDACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = $ou $OUsWithDACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithDACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLNOTInCanonicalOrder += $ouObj } $OUsWithDACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithDACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLInCanonicalOrder += $ouObj } $OUsWithDACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

SNAGHTML322b396a

Figure 1: Checking The Canonical Order Of The DACL On All OUs In The AD Domain Through PowerShell

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 6 Comments »

(2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object

Posted by Jorge on 2014-08-28


PowerShell Code to remove all ACEs from one or multiple OUs for some security principal.

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Security Principal To Assign Permissions To $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING ACEs..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host "" $aclOU = Get-Acl $ouDrivePath $aclOU.Access | ?{$_.IdentityReference -eq $securityPrincipalAccount} | %{ $accessRule = $_ $aclOU.RemoveAccessRule($accessRule) } $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: DACL Before Removal

If the removal action outputs "True", it means it found the ACE and it was removed. If the removal action outputs "False", it means it did not find the ACE and nothing was removed. 

image

Figure 2: Configuring The DACL Through PowerShell

image

Figure 3: DACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 3 Comments »

(2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object

Posted by Jorge on 2014-08-26


PowerShell Code to remove an ACE from one or multiple OUs for some security principal to some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Assign Permissions For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Assign Permissions To $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define ACE $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $aclType = [System.Security.AccessControl.AccessControlType]::"Allow" $aceDefinition = $securityPrincipalObject,$rightsCollection,$aclType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING ACE..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " ACL Type.............: $aclType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath $aclOU.RemoveAccessRule($accessRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: DACL Before Removal

If the removal action outputs "True", it means it found the ACE and it was removed. If the removal action outputs "False", it means it did not find the ACE and nothing was removed. 

image

Figure 2: Configuring The DACL Through PowerShell

image

Figure 3: DACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 4 Comments »

(2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object

Posted by Jorge on 2014-08-24


PowerShell Code to remove a specific ACE from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Write Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Assign Permissions For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedAttribute = "employeeID" $schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute] $inheritanceScope = "Descendents" # Security Principal To Assign Permissions To $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define ACE $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"WriteProperty" $aclType = [System.Security.AccessControl.AccessControlType]::"Allow" $aceDefinition = $securityPrincipalObject,$rightsCollection,$aclType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING ACE..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " ACL Type.............: $aclType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Attribute.....: $scopedAttribute" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath $aclOU.RemoveAccessRule($accessRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: DACL Before Removal

If the removal action outputs "True", it means it found the ACE and it was removed. If the removal action outputs "False", it means it did not find the ACE and nothing was removed. 

image

Figure 2: Configuring The DACL Through PowerShell

image

Figure 3: DACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 5 Comments »

(2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object

Posted by Jorge on 2014-08-22


PowerShell Code to remove a specific ACE from one or multiple OUs for some security principal on some object.

Example object class: user

Example permission: Delete Child

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Assign Permissions For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $inheritanceScope = "All" # Security Principal To Assign Permissions To $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define ACE $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"DeleteChild" $aclType = [System.Security.AccessControl.AccessControlType]::"Allow" $aceDefinition = $securityPrincipalObject,$rightsCollection,$aclType,$schemaIDGUIDScopedObject,$inheritanceScope $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " REMOVING ACE..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " ACL Type.............: $aclType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath $aclOU.RemoveAccessRule($accessRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: DACL Before Removal

If the removal action outputs "True", it means it found the ACE and it was removed. If the removal action outputs "False", it means it did not find the ACE and nothing was removed. 

image

Figure 2: Configuring The DACL Through PowerShell

image

Figure 3: DACL After Removal

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 3 Comments »

(2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object

Posted by Jorge on 2014-08-20


PowerShell Code to add an ACE to one or multiple OUs for some security principal to some extended right (control access right) on some object.

Example object class: user

Example extended right: Reset Password

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Create Hash Table With The displayName And rightsGUID Of Each Extended Right (a.k.a. Control Access Right) $mappingTable_displayName_rightsGUID = @{} Get-ADObject -SearchBase $("CN=Extended-Rights," + $rootdse.ConfigurationNamingContext) ` -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=*))" ` -Properties displayName,rightsGuid | %{ $mappingTable_displayName_rightsGUID[$_.displayName]=[System.GUID]$_.rightsGuid } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Assign Permissions For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedCAR = "Reset Password" $schemaIDGUIDScopedCAR = $mappingTable_displayName_rightsGUID[$scopedCAR] $inheritanceScope = "Descendents" # Security Principal To Assign Permissions To $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define ACE $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" $aclType = [System.Security.AccessControl.AccessControlType]::"Allow" $aceDefinition = $securityPrincipalObject,$rightsCollection,$aclType,$schemaIDGUIDScopedCAR,$inheritanceScope,$schemaIDGUIDScopedObject $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " ADDING ACE..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " ACL Type.............: $aclType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped CAR...........: $scopedCAR" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath $aclOU.AddAccessRule($accessRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: Configuring The DACL Through PowerShell

image

Figure 2: The ACE That Was Added

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 3 Comments »

(2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object

Posted by Jorge on 2014-08-18


PowerShell Code to add an ACE to one or multiple OUs for some security principal to have read/write permissions for some attribute on some object.

Example object class: user

Example permission: Read Property and Write Property

Example attribute: employeeID

Example security principal: ADCORP\MyDelegationAdminGroup

# Clear The Screen Clear-Host # Get Script Location $scriptFolder = (Get-Location).Path # Get File With OUs To Process $fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Create Hash Table With The lDAPDisplayName And schemaIDGUID Of Each Schema Class And Attribute $mappingTable_lDAPDisplayName_schemaIDGUID = @{} Get-ADObject -SearchBase $($rootDSE.schemaNamingContext) ` -LDAPFilter "(schemaIDGUID=*)" ` -Properties lDAPDisplayName,schemaIDGUID | %{ $mappingTable_lDAPDisplayName_schemaIDGUID[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID } # Get List Of OUs To Process $listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess) # Object Class And Attribute To Assign Permissions For $scopedObject = "user" $schemaIDGUIDScopedObject = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedObject] $scopedAttribute = "employeeID" $schemaIDGUIDScopedAttribute = $mappingTable_lDAPDisplayName_schemaIDGUID[$scopedAttribute] $inheritanceScope = "Descendents" # Security Principal To Assign Permissions To $securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup" $securityPrincipalObject = New-Object System.Security.Principal.NTAccount($securityPrincipalAccount) # Define ACE $rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ReadProperty","WriteProperty" $aclType = [System.Security.AccessControl.AccessControlType]::"Allow" $aceDefinition = $securityPrincipalObject,$rightsCollection,$aclType,$schemaIDGUIDScopedAttribute,$inheritanceScope,$schemaIDGUIDScopedObject $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition) # Process Each OU $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) Write-Host "" Write-Host "Processing OU: $ou" -Foregroundcolor Cyan Write-Host " ADDING ACE..." Write-Host " Security Principal...: $securityPrincipalAccount" Write-Host " ACL Type.............: $aclType" Write-Host " Access Type..........: $rightsCollection" Write-Host " Scoped Attribute.....: $scopedAttribute" Write-Host " Scoped Object Class..: $scopedObject" Write-Host " Scope................: $inheritanceScope" Write-Host "" $aclOU = Get-Acl $ouDrivePath $aclOU.AddAccessRule($accessRule) $aclOU | Set-Acl $ouDrivePath }

image

Figure 1: Configuring The DACL Through PowerShell

image

Figure 2: The ACE That Was Added

image

Figure 3: Detailed Info Of The ACE

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, PowerShell, Tooling/Scripting | 3 Comments »

 
%d bloggers like this: