joeware – never stop exploring… :) » Blog Archive » A Glimpse At Some AdMod Security Descriptor Fun…

by joe @ 12:45 am on 11/23/2020. Filed under tech

So say you hate Account Operators group as much as I do and want to just strip the AO ACEs off of objects… Then this output below is something you will like… Less than 30 seconds to strip all AO access off of 20 objects remotely from a non-domain joined PC over wireless to a low power virtual DC. How long to do that with DSACLS? ADUC? ADAC? Or even PowerShell if you are brave enough to do Security Descriptors with PowerShell especially with Security Principals that don’t exist on Windows 10.

Note: I am finally updating AdMod usage which means I am getting close to a public release. First public release since 2012. Not that I haven’t been updating it all along and personally been using the updated versions (I call the joe only versions BAdMon – Beta AdMod), I am just a TON more careful with AdMod than AdFind because it can hurt you, it can hurt you bad. While everyone should be testing everything they do before doing it in production, I don’t even want to help someone to blow up their environments so try to do things as safely as possible.

[Sun 11/22/2020 22:18:21.39]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | adfind -jsdenl ;;;;;"account operators"

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) October 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:CN=Users,DC=lockout,DC=test,DC=loc
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators

dn:CN=WinRMRemoteWMIUsers__,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Guest,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Domain Computers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Cert Publishers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Domain Users,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Domain Guests,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=RAS and IAS Servers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Allowed RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Enterprise Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Administrator,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Denied RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Enterprise Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Group Policy Creator Owners,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Schema Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=krbtgt,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=ADACL-Root-ReanimateTombstone,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=dnsadmin,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=monitortest,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Cloneable Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Protected Users,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Key Admins,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Enterprise Key Admins,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=DefaultAccount,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

27 Objects returned

[Sun 11/22/2020 22:18:26.60]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | admod SD##ntsecuritydescriptor::{GETSD}{-D=(*;*;*;*;*;AO)}

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) November 2020

DN Count: 27

More DNs than allowed for by safety setting of 10
Use safety parameter to specify larger safety size.

The command did not complete successfully

[Sun 11/22/2020 22:19:03.67]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | admod SD##ntsecuritydescriptor::{GETSD}{-D=(*;*;*;*;*;AO)} -unsafe

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) November 2020

DN Count: 27
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Modifying specified objects…
   DN: CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=WinRMRemoteWMIUsers__,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Guest,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Computers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Cert Publishers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Users,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Guests,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=RAS and IAS Servers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Allowed RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Administrator,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Denied RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Enterprise Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Group Policy Creator Owners,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Schema Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=krbtgt,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=ADACL-Root-ReanimateTombstone,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=dnsadmin,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=monitortest,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Cloneable Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Protected Users,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Key Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Enterprise Key Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=DefaultAccount,CN=Users,DC=lockout,DC=test,DC=loc…

The command completed successfully

[Sun 11/22/2020 22:19:32.58]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | adfind -jsdenl ;;;;;"account operators"

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) October 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=WinRMRemoteWMIUsers__,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Guest,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Computers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Cert Publishers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Users,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Guests,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=RAS and IAS Servers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Allowed RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Enterprise Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Administrator,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Denied RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Enterprise Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Group Policy Creator Owners,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Schema Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=krbtgt,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=ADACL-Root-ReanimateTombstone,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=dnsadmin,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=monitortest,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Cloneable Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Protected Users,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Key Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Enterprise Key Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=DefaultAccount,CN=Users,DC=lockout,DC=test,DC=loc

27 Objects returned

[Sun 11/22/2020 22:19:40.82]

Rating 4.33 out of 5

Comments Off [link] [TB]

Comments are closed.

joeware - never stop exploring... :)

A Glimpse At Some AdMod Security Descriptor Fun…

tip jar:

internal links:

logon:

Links

categories:

search blog:

calendar:

archive:

other:

visitors:

store:

Sponsored Links

archive:

visitors in motion:

Recent Comments