joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

11/23/2020

A Glimpse At Some AdMod Security Descriptor Fun…

by @ 12:45 am. Filed under tech

So say you hate Account Operators group as much as I do and want to just strip the AO ACEs off of objects… Then this output below is something you will like… Less than 30 seconds to strip all AO access off of 20 objects remotely from a non-domain joined PC over wireless to a low power virtual DC. How long to do that with DSACLS? ADUC? ADAC? Or even PowerShell if you are brave enough to do Security Descriptors with PowerShell especially with Security Principals that don’t exist on Windows 10.

Note: I am finally updating AdMod usage which means I am getting close to a public release. First public release since 2012. Not that I haven’t been updating it all along and personally been using the updated versions (I call the joe only versions BAdMon – Beta AdMod), I am just a TON more careful with AdMod than AdFind because it can hurt you, it can hurt you bad. While everyone should be testing everything they do before doing it in production, I don’t even want to help someone to blow up their environments so try to do things as safely as possible. 

[Sun 11/22/2020 22:18:21.39]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | adfind -jsdenl ;;;;;"account operators"

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) October 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:CN=Users,DC=lockout,DC=test,DC=loc
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators

dn:CN=WinRMRemoteWMIUsers__,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Guest,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Domain Computers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Cert Publishers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Domain Users,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Domain Guests,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=RAS and IAS Servers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Allowed RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Enterprise Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Administrator,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Denied RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Enterprise Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Group Policy Creator Owners,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Schema Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=krbtgt,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=ADACL-Root-ReanimateTombstone,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=dnsadmin,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=monitortest,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Cloneable Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Protected Users,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Key Admins,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=Enterprise Key Admins,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

dn:CN=DefaultAccount,CN=Users,DC=lockout,DC=test,DC=loc
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators

27 Objects returned

[Sun 11/22/2020 22:18:26.60]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | admod SD##ntsecuritydescriptor::{GETSD}{-D=(*;*;*;*;*;AO)}

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) November 2020

DN Count: 27

More DNs than allowed for by safety setting of 10
Use safety parameter to specify larger safety size.

The command did not complete successfully

[Sun 11/22/2020 22:19:03.67]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | admod SD##ntsecuritydescriptor::{GETSD}{-D=(*;*;*;*;*;AO)} -unsafe

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) November 2020

DN Count: 27
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Modifying specified objects…
   DN: CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=WinRMRemoteWMIUsers__,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Guest,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Computers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Cert Publishers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Users,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Guests,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=RAS and IAS Servers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Allowed RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Administrator,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Denied RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Enterprise Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Domain Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Group Policy Creator Owners,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Schema Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=krbtgt,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=ADACL-Root-ReanimateTombstone,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=dnsadmin,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=monitortest,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Cloneable Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Protected Users,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Key Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=Enterprise Key Admins,CN=Users,DC=lockout,DC=test,DC=loc…
   DN: CN=DefaultAccount,CN=Users,DC=lockout,DC=test,DC=loc…

The command completed successfully

[Sun 11/22/2020 22:19:32.58]
E:\DEV\cpp\vs\AdMod\Debug>adfind -rb cn=users -dsq | adfind -jsdenl ;;;;;"account operators"

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) October 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=WinRMRemoteWMIUsers__,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Guest,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Computers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Cert Publishers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Users,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Guests,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=RAS and IAS Servers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Allowed RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Enterprise Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Read-only Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Administrator,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Denied RODC Password Replication Group,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Enterprise Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Domain Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Group Policy Creator Owners,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Schema Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=krbtgt,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=ADACL-Root-ReanimateTombstone,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=dnsadmin,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=monitortest,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Cloneable Domain Controllers,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Protected Users,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Key Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=Enterprise Key Admins,CN=Users,DC=lockout,DC=test,DC=loc

dn:CN=DefaultAccount,CN=Users,DC=lockout,DC=test,DC=loc

27 Objects returned

[Sun 11/22/2020 22:19:40.82]

Rating 4.33 out of 5

11/22/2020

Looking for the proper Holiday Ornament for this very tricky year?

by @ 1:59 am. Filed under general

Look no further, check out the custom ornament my niece put together just for 2020.

https://www.etsy.com/shop/CustomDesignByBrooke

Grinch Stink Stank Stunk Ornament image 0

ENJOY!

   joe

Rating 4.00 out of 5

10/10/2020

9 out of 10 hackers prefer AdFind for AD Recon…

by @ 2:51 pm. Filed under general

https://thedfirreport.com/2020/10/08/ryuks-return/

This isn’t the first I have read about AdFind being used by bad actors, it won’t be the last.

I first started hearing about AdFind being used in exploits and recon work roughly 2.5 or so years ago when IR teams and Security Researchers started emailing me about it and asking for hashes of older versions etc. AdFind is not, by far, the first of my tools used by the bad actors, it won’t be the last. I have had several tools used by them over the years and have shown up in malware packages as well as anti-hacker toolkits (none of which I ever get any sort of kickback for – so you know who you are that make money off of me, wth???). I mean come on, who can blame them? The tools are fast and they work and don’t require a huge infrastructure around them to function and will often work in environments when other heavier tools based on fat frameworks go sideways. Perfect for Admins trying to get shit done and hackers trying to get into shit, quickly.

With that being said, dear hackers… if you are making money off my tools, how about you do me a solid and do some donating by clicking that Pay Pal button up in the corner?? I mean seriously, if you can score a few million USD in ransom you can easily kick me $100k or so right? Seriously. It is only fair.

And you pen testers and other anti-hackers, how about you too step up and donate.

    joe

Rating 4.78 out of 5

8/18/2020

Beta version of AdMod and DACLs…

by @ 12:57 am. Filed under tech

Thoughts?

[Tue 08/18/2020  0:24:46.40]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted  -jsdenl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) July 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

[Tue 08/18/2020  0:24:51.87]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -daclpipe | admod "SD##ntsecuritydescriptor::{{.}}{+D=AI(A;;[CR CHILD][DEL CHILD];;;WD)}{+O=EA}{-D=(*;*;*;*;*;AO)}{-D=(*;*;*;*;*;AO)}{+D=(DENY;;[del tree][del];;;everyone)}"

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) August 2020

DN Count: 1
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

Modifying specified objects…
   DN: OU=tobedeleted,DC=lockout,DC=test,DC=loc…

The command completed successfully

[Tue 08/18/2020  0:25:02.79]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted  -jsdenl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) July 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Enterprise Admins
[GROUP] LOCKOUT\Domain Users
[DACL] (FLAGS:INHERIT)
[DACL] DENY;;[DEL TREE][DEL];;;Everyone
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[CR CHILD][DEL CHILD];;;Everyone
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

Rating 4.00 out of 5

7/9/2020

Clearing the DENY DELETE EVERYONE from OUs with AdFind|AdMod

by @ 4:17 pm. Filed under tech

Another common thing that people want to do from the command line with AdFind | AdMod is to clear the “Protect object from accidental deletion” setting that is implemented with a deny delete ACE on the object, specifically

[DACL] DENY;;[DEL TREE][DEL];;;Everyone

As mentioned previously, the Security Descriptor is a BLOB so you have to deal with an whole DACL at once. This is a pretty easy mod though.

You simply have to remove the “(D;;DTSD;;;WD)” portion of the SDDL.

That looks like:

adfind -b <BASE> –f <FILTER> ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -csvmvdelim "|" -adcsv | admod SD##ntsecuritydescriptor::{{.:r:(D;;DTSD;;;WD):}}

So for example:

[Thu 07/09/2020 14:46:27.47]
E:\DEV\cpp\vs\AdMod\Debug>
[Thu 07/09/2020 14:49:18.38]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] DENY;;[DEL TREE][DEL];;;Everyone
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

[Thu 07/09/2020 14:50:50.40]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -csvmvdelim "|" -adcsv | admod SD##ntsecuritydescriptor::{{.:r:(D;;DTSD;;;WD):}}

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) June 2020

DN Count: 1
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

Modifying specified objects…
   DN: OU=tobedeleted,DC=lockout,DC=test,DC=loc…

The command completed successfully

[Thu 07/09/2020 14:51:05.75]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

And what if you want to put it back?

[Thu 07/09/2020 14:51:15.15]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

[Thu 07/09/2020 14:53:08.62]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -csvmvdelim "|" -adcsv | admod SD##ntsecuritydescriptor::{{.:r:AI(:AI(D;;DTSD;;;WD)(}}

AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) June 2020

DN Count: 1
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

Modifying specified objects…
   DN: OU=tobedeleted,DC=lockout,DC=test,DC=loc…

The command completed successfully

[Thu 07/09/2020 14:53:16.31]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] DENY;;[DEL TREE][DEL];;;Everyone
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

    joe

Rating 4.60 out of 5

How Do I Make an Object’s Security Descriptor Inheritable and also while I am at it… resetting from AdminSDHolder…

by @ 12:18 pm. Filed under tech

I recently received an email of:

<SNIP>

I have a bunch of previously sensitive&protected accounts where I like to enable inheritance..

Is it possible to remove protected inheritance flag with admod?

<SNIP>

The quick answer to the direct question is yes, there is an easy way to turn inheritance back on for an arbitrary object or set of objects with AdFind|Admod.

You need to send the current Security Descriptor of the object into AdMod and ask it to tweak the DACL flags. Well really you only need the Explicit DACL portion of the Security Descriptor, not the rest. But it works with it nibbled down to just that or not.

So something like:

adfind -s <base> -f <filter> ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::{{.:$r$D:PAI$D:AI}} -exterr

For example:

adfind -default -f "&(objectclass=user)(admincount=1)" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::{{.:$r$D:PAI$D:AI}} -exterr

The reason you have to pass the current security descriptor (or at least the DACL portion of the Security Descriptor) is because the Security Descriptor is a BLOB (chunk of binary) and each ACE is buried somewhere in that BLOB. You cannot just ask AD to add or remove an ACE or update just the flags so you have to update the entire DACL portion of the Security Descriptor at a minimum.

So that question is answered, or is it? As you think about this a little longer, the adminSDHolder functionality doesn’t just protect the DACL of an object, it also rewrites the Explicit ACEs as well. Otherwise, by default, Account Operators[1] could update Domain Admin accounts.

Luckily there is a place where the correct default DACL is kept for most objectclasses, the schema. That is the defaultSecurityDescriptor attribute on the classSchema objectclass definition object. The defaultSecurityDescriptor can be a full Security Descriptor but in only a few cases does it, for example, list a value for the Owner, Group, or SACL by default (not that you can’t modify that to your heart’s delight).

Example of defaultSecurityDescriptor:

[Tue 07/07/2020 21:52:16.82]
E:\DEV\cpp\vs\AdMod\Debug>adfind -sc s:user defaultsecuritydescriptor

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=User,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;WPRP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)

1 Objects returned

Broken out that looks like:

[Tue 07/07/2020 22:01:56.84]
E:\DEV\cpp\vs\AdMod\Debug>adfind -schema -f ldapdisplayname=user defaultsecuritydescriptor -sddl+

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=User,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> defaultSecurityDescriptor: [DACL]
>defaultSecurityDescriptor: [DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA
> defaultSecurityDescriptor: [DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY
> defaultSecurityDescriptor: [DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO
> defaultSecurityDescriptor: [DACL] A;;RPLCLORC;;;PS
> defaultSecurityDescriptor: [DACL] OA;;CR;Change Password;;PS
> defaultSecurityDescriptor: [DACL] OA;;CR;Send As;;PS
> defaultSecurityDescriptor: [DACL] OA;;CR;Receive As;;PS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;Personal Information;;PS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;Phone and Mail Options;;PS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;Web Information;;PS
> defaultSecurityDescriptor: [DACL] OA;;RP;Remote Access Information;;RS
> defaultSecurityDescriptor: [DACL] OA;;RP;Account Restrictions;;RS
> defaultSecurityDescriptor: [DACL] OA;;RP;Group Membership;;RS
> defaultSecurityDescriptor: [DACL] A;;RC;;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;General Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;Personal Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;Web Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;Public Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;CR;Change Password;;WD
> defaultSecurityDescriptor: [DACL] OA;;RP;Logon Information;;RS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;userCertificate;;CA
> defaultSecurityDescriptor: [DACL] OA;;RP;tokenGroupsGlobalAndUniversal;;S-1-5-32-560
> defaultSecurityDescriptor: [DACL] OA;;WPRP;terminalServer;;S-1-5-32-561
> defaultSecurityDescriptor: [DACL] OA;;WPRP;Terminal Server License Server;;S-1-5-32-561

1 Objects returned

Broken out even more…

[Tue 07/07/2020 22:07:32.31]
E:\DEV\cpp\vs\AdMod\Debug>adfind -schema -f ldapdisplayname=user defaultsecuritydescriptor -sddl++ -resolvesids

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=User,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> defaultSecurityDescriptor: [DACL] (FLAGS:)
> defaultSecurityDescriptor: [DACL] ALLOW;;[FC];;;Non-specific Domain Admins
> defaultSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
> defaultSecurityDescriptor: [DACL] ALLOW;;[FC];;;BUILTIN\Account Operators
> defaultSecurityDescriptor: [DACL] ALLOW;;[READ PROP][LIST CHILDREN][LIST OBJ][READ];;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Change Password;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Send As;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Receive As;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Personal Information;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Phone and Mail Options;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Web Information;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Remote Access Information;;Non-specific RAS Servers Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Account Restrictions;;Non-specific RAS Servers Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Group Membership;;Non-specific RAS Servers Group
>defaultSecurityDescriptor: [DACL] ALLOW;;[READ];;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];General Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Personal Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Web Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Public Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Change Password;;Everyone
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Logon Information;;Non-specific RAS Servers Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];userCertificate;;Non-specific Certificate Server Admins
>defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];tokenGroupsGlobalAndUniversal;;BUILTIN\Windows Authorization Access Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP][READ PROP];terminalServer;;BUILTIN\Terminal Server License Servers
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP][READ PROP];Terminal Server License Server;;BUILTIN\Terminal Server License Servers

1 Objects returned

So this is cool, besides the missing DACL flags (did you catch that in the output?) it seems like we should just be able to plug that into AdMod and run with it. And in a single domain forest with a domain joined machine you absolutely can. In a multi-domain forest it gets a little trickier, so don’t do it yet. At least if you want the ACEs highlighted in red to possibly be wrong.

Full stop! So joe… I have a single domain forest, how do I just do that, I don’t care about the multi-domain forests… 

I would say the simplest way straight away without creating additional objects (more on that later) is to get the default security from the user objectclass corrected with DACL flags and into a format that you can use…

for /f "tokens=1,2 delims=," %i in (‘adfind -sc s:* -af "(ldapdisplayname=user)" ldapdisplayname "defaultsecuritydescriptor:s/D:/D:AI/" -nodn -jcsv2 -csvmvdelim $’) do set DSD_%i=%j

Which leaves you with an env var of

[Tue 07/07/2020 22:08:51.68]
E:\DEV\cpp\vs\AdMod\Debug>set dsd_user
DSD_user=D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;WPRP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)

and then a simple command of

adfind –b <BASE> –f <filter> -dsq | admod SD##ntsecuritydescriptor::%DSD_user% -exterr

will set the security descriptors back to default and enable inheritance.

adfind -default -f "&(objectclass=user)(admincount=1)" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::%DSD_user% -exterr

Oh and while we are here, we might as well clear admincount as well…

adfind -default -f "&(objectclass=user)(admincount=1)" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::%DSD_user% admincount:- -exterr

Cool! But why the domain joined machine requirement and what is going on that is so different for a multi-domain forest???

The issue goes back to the same issue for both which is related to the defaultSecurityDescriptor, specifically that it uses (correctly of course) the generic form of several of the security principals, most critically (IMO), the Domain Admins security principal of DA.

For example:

[DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA

Which is

[DACL] ALLOW;;[FC];;;Non-specific Domain Admins

The underlying function used by AdMod to handle Security Descriptors is ConvertStringSecurityDescriptorToSecurityDescriptor and it doesn’t allow you to specify a remote machine to for the SID expansion so if you aren’t in the same domain (in another domain or not in any domain) then it doesn’t know how to resolve DA (and also RS and CA) to a proper SID for the given domain to put into the Security Descriptor BLOB and it results in EITHER the wrong Domain Admin SID being stamped on the object in the case of being in a different domain or an error of “The security ID structure is invalid.” if the machine is not in any domain because those principals aren’t resolveable on a standalone machine. MSFT could have easily fixed that by allowing you to specify a resolver machine in the API call but alas, no such luck. If you want to handle this you have to manually unpack, convert the non-specific stuff to specific SIDs, and then repack the SDDL and use that.

AdMod does not currently (and unfortunately may or may not get it in the future) have the ability to correct this shortcoming in the API call. I am thinking about ways to handle it in the code itself but right now the best I have is to use “template” objects sort of like AdminSDHolder. Where you have objects defined that have the DACL (or full Security Descriptor) you want applied. You can even do this by groups, say certain groups will mean you get certain DACLs applied to the object and then have a service that is applying that regularly… A la poor man’s AdminSDHolder.

Anyway, this is about cleaning up old AdminSDHolder impacted objects likely because you realized you had too many admins and start cleaning stuff up (kudos to you btw).

So this is an example of some common template objects:

[Wed 07/08/2020 15:30:30.39]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f cn=sdtemplates -dsq | adfind -s one -dn

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:CN=contact,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
dn:CN=group,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
dn:CN=organizationalunit,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
dn:CN=user,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc

4 Objects returned

And an expanded user template showing the DACL.

[Wed 07/08/2020 15:32:09.30]
E:\DEV\cpp\vs\AdMod\Debug>adfind -system -rb CN=SDTemplates -f cn=user -jsdenl -onlydacl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc

dn:CN=user,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[READ PROP];Account Restrictions;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP];Logon Information;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP];Group Membership;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP];Remote Access Information;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];userCertificate;;LOCKOUT\Cert Publishers
[DACL] OBJ ALLOW;;[READ PROP];tokenGroupsGlobalAndUniversal;;BUILTIN\Windows Authorization Access Group
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];terminalServer;;BUILTIN\Terminal Server License Servers
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Terminal Server License Server;;BUILTIN\Terminal Server License Servers
[DACL] OBJ ALLOW;;[CTL];Change Password;;Everyone
[DACL] OBJ ALLOW;;[CTL];Change Password;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[CTL];Send As;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[CTL];Receive As;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[READ PROP];General Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP];Public Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP];Personal Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP];Web Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Personal Information;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Phone and Mail Options;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Web Information;;NT AUTHORITY\SELF
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators
[DACL] ALLOW;;[READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\SELF
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

and note, that just like AdminSDHolder, it is simply a container object. You could use an actual user object if you wanted but then someone somewhere should be trying to clean that up when it seems inactive for a not too long period of time (weeks to months at most). I mean they better be, if you aren’t looking for and cleaning up inactive objects you have really really bad security. And not don’t just make it non-expiring, that is really really bad security too. In fact, if you have any userids that are set up as non-expiring, just expect that if I saw it I would say this is really really bad security.

So the easiest model is just to copy the explicit part of the DACL from the template object from a given domain and apply it to the user objects you need to “reset”.

So first get the DACL string

adfind -system -rb CN=SDTemplates -f cn=user ntsecuritydescriptor -rawsddlexpl -rawsddlnl –onlydacl –list

and copy the output which in this case would be:

D:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

and then apply it to a given object

admod –b <objectDN> SD##ntsecuritydescriptor::D:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

Boom, the object has been set to inheriting and the value of the defaultSecurityDescriptor specific to the domain in question.

You could do a group of accounts at once if you can feed the DACL in to the AdFind|AdMod pipeline, one such way to do it would be with a for /f loop like so:

for /f %i in (‘adfind -system -rb "CN=SDTemplates" -f "cn=user" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -list’) do adfind -f "name=oldadmin*" -dsq | admod SD##ntsecuritydescriptor::%i -exterr

That command pulls the DACL and then performs a normal AdFind|AdMod pipeline and feeds in the DACL so you don’t have to copy and paste it.

You could expand that doing it for an entire multidomain forest with (assuming you created similar template objects in each domain):

for /f %i in (‘adfind -sc domainlist’) do for /f %j in (‘adfind -h %i -system -rb "CN=SDTemplates" -f "cn=user" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -list’) do adfind -h %i -f "name=oldadmin*" -dsq | admod SD##ntsecuritydescriptor::%j -exterr

And if you want to clear the admincount attribute, don’t forget to add the admincount:- to it as well.

Note this is a good way to specify the standard owner for objects as well if you like along with the DACL. The owner is critical because the owner has special powers over the objects by default. I highly recommend, unless you are using AD quotas, to specify standard owners for objects so you can very closely control who can do what to all objects. Especially any elevated rights objects.

   joe

[1] Speaking of Account Operators, you aren’t still using that are you? If you are, STOP. That was for NT4 and hybrid NT4/2000 mode. Not pure Windows Active Directory domains.

Rating 4.50 out of 5

2/9/2020

Windows Server 2003 Support for AdFind??

by @ 12:18 pm. Filed under general, tech

Out of curiosity how many people need to run my tools on pre-Windows Server 2008 machines? I.E. Windows 2000, XP, 2003, etc?

I was just alerted this last week by a random Russian user that AdFind doesn’t run ON Windows Server 2003 X64. I did some testing and that is correct, in fact it won’t run ON anything pre-Windows Server 2008 since I started using the Visual Studio compilers so for the last couple of releases. The stuff built with C++ Builder works fine on pre-2008 machines.

Now that doesn’t mean you can’t run AdFind AGAINST Windows Server 2003 or Windows Server 2000, that works just fine from every test I have performed.

So the question in the water is…. How many people need to run AdFind ON a pre-Windows Server 2008 OS? Windows 2000, Windows Server 2003, XP, etc?

That will drive how much work I actually do to try and sort out why Visual Studio isn’t building a binary that is recognized as a Win32 App on pre-Windows Server 2008 machines.

     joe

Rating 4.33 out of 5

1/15/2020

CVE-2020-0601–PATCH YOUR 2016/2019 DOMAIN CONTROLLERS!

by @ 1:07 am. Filed under tech

While Microsoft put a weak “important’ rating on CVE-2020-0601 the NSA (yes that NSA) has called it critical and severe. And since they found it, I am going to lay my bets with them.

Microsoft’s bulletin says it is code signing issues, NSA and others in the social media circles says it is much deeper.

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

NSA: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

Key bit from the NSA release, note that domain controllers are specifically and purposely listed.

SNAGHTML71eaabccAgain… Patch now.

  joe

Rating 4.33 out of 5

1/13/2020

AdFind V01.52.00… Part Deux…

by @ 7:25 pm. Filed under tech, updates

So try two… When I updated the web pages last night, I apparently updated a page that didn’t have the newer download mechanism in it so ended up breaking the download for AdFind. So you have gotten to experience a nice unhappy face page instead when trying to download. That was corrected a few hours ago and I am just now getting a chance to write a QnD blog post to say I humbly apologize. If you still have issues, let me know. Smile 

   joe

Rating 4.33 out of 5

1/12/2020

AdFind V01.52.00 released

by @ 9:19 pm. Filed under tech, updates

The latest version of AdFind, V01.52.00, is now released. You can find it at

http://www.joeware.net/freetools/tools/adfind/

If the website shows V01.51.00 then use CTRL-F5 to update your local browser cache. Smile 

File information

[Sat 01/11/2020 21:17:29.63]+
E:\DEV\cpp\vs\AdFind\Release>filever adfind.exe
—– W32i   APP ENU     1.52.0.5064 shp  1,619,968 01-11-2020 adfind.exe

[Sat 01/11/2020 21:17:40.58]+
E:\DEV\cpp\vs\AdFind\Release>adfind -appver
AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020
  BUILD    : 1.52.0.5064
  BUILDDATE: 20200111-21:15:50 x86 VS2019

Digest information

[Sat 01/11/2020 21:17:48.44]+
E:\DEV\cpp\vs\AdFind\Release>joewaredigest adfind.exe

joewaredigest V01.00.00pl  joe@joeware.net  November 2012

adfind.exe      12011c44955fd6631113f68a99447515        4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d

Command Completed.

I have upgraded to Visual Studio 2019 and there are a slew of bug fixes, new 2019 decodes, new shortcuts, and a good selection of new switches (you know you wanted more!). Details of the changes including new switches are on the adfind usage pages which can also be found at

http://www.joeware.net/freetools/tools/adfind/usage.htm

Specific things I want to call out.

New switch –hint

This is something I wanted particularly for working with ADAM/LDS and third party LDAP servers. While you can use –e or the joeware-default environment variables to really help with making working with ADAM/LDS easier, this is for the random ad hoc query where you stream the output from adfind to adfind or to the not yet released new version of admod. This switch outputs a header string with key fields that can be picked up out of the stream and give the next tool in line hints on what to connect to and how.

The output of the header has several switch values passed into the first call to adfind separated by “~~~X~~~”.

The specific switches are: –h , –p , –u , –up , –simple (0 or 1) , –hh , –url

Since that might be difficult to visualize the use case, here is an example:

[Fri 01/10/2020 22:40:35.48]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh .:389 -f objectclass=group -dsq  | adfind objectguid

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error

ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error

ldap_get_next_page_s: [LO-DC4.lockout.test.loc] Error 0x1 (1) – Operations Error

0 Objects returned

[Fri 01/10/2020 22:40:47.44]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh .:389 -f objectclass=group -dsq -hint | adfind objectguid

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: jwp51:389
Directory: Windows Server 2019 (10.0.18362.1) ADLDS

dn:CN=Administrators,CN=Roles,O=BASIC
> objectGUID: {9A1C288D-2360-4A47-8115-39D7A978CD0F}

dn:CN=Users,CN=Roles,O=BASIC
> objectGUID: {E5DD9FEE-9F13-44F5-B504-B9BF4345E84B}

dn:CN=Readers,CN=Roles,O=BASIC
> objectGUID: {4FB18B14-D5D5-4E99-82AB-0C4D0AD9977B}

3 Objects returned

New switch –pause

This is for those folks who slap adfind into a for /f loop with a do start and fire multiple process windows at once instead of running the commands serially. With this switch adfind will pause before exiting so you can look at the output of each instance that was spawned.

New Switches –incllike / –excllike

Have you ever wanted to output only a certain group of attributes but don’t want to name all of them but perhaps they all have a similar format, for example say you have 15 attributes with your company prefix like jw-attr1, jw-attr2, jw-attr3, jw-attrN that is populated on every object of type X and you want just that info output. You simply add –incllike jw- and voila, only the jw-* attributes will be displayed. Note that all of the data will be returned that would normally be returned, it simply won’t be displayed. Unfortunately there is no way to tell AD to return attributes “like”, so this is the next best thing. Or alternately if there attributes you want to not display, you can use –excllike. Both of those switches take semicolon delimited lists of strings.

New Switch –sddlpsflag

This is a fun one that I have wanted for some time. Have you ever looked at the Security Descriptor output and want to quickly highlight or filter for the ACEs that have property sets, this switch prefixes the property sets with [PS]. This allows for quick and easy filtering with grep or find or whatever or with the SDDL filtering built into AdFind by default.

Again since this may not be easy to visualize, here is an example (you may want to make your browser window wider to more easily see this):

[Fri 01/10/2020 22:44:00.67]+
E:\DEV\cpp\vs\AdFind\Release>adfind -jsdnlb ;;;[PS] -sddlpsflag

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:DC=lockout,DC=test,DC=loc
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Account Restrictions;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Account Restrictions;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Logon Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Logon Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Group Membership;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Group Membership;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]General Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]General Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Remote Access Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];[PS]Remote Access Information;user;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Domain Password & Lockout Policies;;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Other Domain Parameters (for use by SAM);;BUILTIN\Pre-Windows 2000 Compatible Access
[DACL] OBJ ALLOW;;[READ PROP];[PS]Other Domain Parameters (for use by SAM);;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP][WRT PROP][CTL];[PS]Private Information;;NT AUTHORITY\SELF

1 Objects returned

New Switch –rawsddlexpl

As you may or may not know, if you want to use AdMod to set a Security Descriptor (currently) you must provide the SDDL string for it. This can be painful (and yes I know how painful and hate it and am working on it) so I came up with a way to help make it less painful. When you apply the SDDL string it doesn’t need all of the inherited ACEs which is what usually makes the SDDL strings crazy long and painful. This switch nibbles the SDDL down to just the explicit ACEs that matter when you need to apply to something.

Again, here is an example, this will be long though not anywhere as long as what you see in many domains where people weren’t properly controlling stupid ACE bloat or had to install Exchange which is a whole other level of stupid ACE bloat that could only be accomplished by people who truly have no clue how to properly secure AD.

[Fri 01/10/2020 23:33:57.04]+
E:\DEV\cpp\vs\AdFind\Release>adfind -f name=testuser1 ntsecuritydescriptor -rawsddl

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:CN=testuser1,OU=TESTUSERS,DC=lockout,DC=test,DC=loc
> nTSecurityDescriptor: [SDDL] O:S-1-5-21-3057091654-2329156990-3385121676-512G:S-1-5-21-3057091654-2329156990-3385121676-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3057091654-2329156990-3385121676-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3057091654-2329156990-3385121676-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-519)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

1 Objects returned

[Fri 01/10/2020 23:34:08.33]+
E:\DEV\cpp\vs\AdFind\Release>adfind -f name=testuser1 ntsecuritydescriptor -rawsddlexpl

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc

dn:CN=testuser1,OU=TESTUSERS,DC=lockout,DC=test,DC=loc
> nTSecurityDescriptor: [SDDL_EXPLICIT] O:S-1-5-21-3057091654-2329156990-3385121676-512G:S-1-5-21-3057091654-2329156990-3385121676-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI

1 Objects returned

New Switches –ldapping / –ldappingex / –netlogonexdc

I posted a series of blog posts on DC Locator and ldap ping. Adding ldap ping to AdFind is another thing that I have wanted for some time. It shoots over the proper query to retrieve the LDAP Ping info which will tell you what AD site your machine is in per the DC’s decision processes and the querying machine’s IP address. It will also show you next closest site, no you don’t have to enable anything for that to work, it is always there, the client just has to know how to ask for it. Most folks will likely want to use –ldappingex as that is the easiest to read. It is effectively the –ldapping and –netlogonexdc switches together. Why did I do it that way? Why do I have the –netlogonexdc switch at all??? For people who know how to formulate the different acceptable ldap ping queries manually and want the extended output instead of the normal output. Note that this is COMPLETELY anonymous. You don’t have to have a valid ID in the domain to perform this operation.

Here is an example:

[Fri 01/10/2020 23:55:42.28]+
E:\DEV\cpp\vs\AdFind\Release>adfind -hh k16tst.test.loc -ldappingex

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: K16TST-SCDC1.k16tst.test.loc:389
Directory: Windows Server 2016

dn:
> OpCode: 0x18
> Flags: 0x1F1FC
> Flags: DS_GC_FLAG
> Flags: DS_LDAP_FLAG
> Flags: DS_DS_FLAG
> Flags: DS_KDC_FLAG
> Flags: DS_TIMESERV_FLAG
> Flags: DS_CLOSEST_FLAG
> Flags: DS_WRITABLE_FLAG
> Flags: DS_FULL_SECRET_DOMAIN_6_FLAG
> Flags: DS_WS_FLAG
> Flags: DS_DS_8_FLAG
> Flags: DS_DS_9_FLAG
> Flags: DS_DS_10_FLAG
> DomainGuid: {98FD1190-E167-4734-A585-7981238A135E}
> DnsForestName: k16tst.test.loc
> DnsDomainName: k16tst.test.loc
> DnsHostName: K16TST-SCDC1.k16tst.test.loc
> NetbiosDomainName: K16TST
> NetbiosComputerName: K16TST-SCDC1
> UserName: [EMPTY]
> DcSiteName: Default-First-Site-Name
> ClientSiteName: joenetlogontestsite
> NextClosestSiteName: Default-First-Site-Name

1 Objects returned

Filter intelligence enhancement – AKA the AJ Fix.

I have a friend that I worked with at my last day job employer that I dragged over to my current day job employer named AJ. AJ is more of an architecture type person who had to come in and actually do real work, ops type work. I mean architecture is real work but I don’t have a lot of respect or need for pure architects, if you cannot sit down and do daily support work as well as design infrastructures you are pretty worthless in my eyes. Anyway, AJ is now doing ops work in the IDM team (one of the leaders of that team now in fact) and learning a lot about how to do things in AD. Slowly more and more he started seeing the light about why AdFind blows other things (like ADUC, ADAC, PowerShell AD Cmdlets) out of the water and I would have a constantly running Zoom chat window with him asking questions. Well very often, especially one really bad week he would post a command string and say why isn’t this working or why it was spitting out so much information that he didn’t ask for (is AD broken?)… And the reason was usually the query looked something like

adfind "&(objectclass=user)(samaccountname=someid)" pwdlastset –tdcda

or something like that. Of course the issue is that he specified a filter without actually specifying the –f switch to tell AdFind, hey AdFind, this is a filter to submit for me. AdFind sees that command and treats the filter as an argument instead of a switch so by default it used a query of objectclass=* and of course that filter doesn’t exist as an attribute. So now I added some parameter logic to look for mistakes like this and it will throw what I call an AJ error and in fact in the initial betas with the functionality the error message was quite funny and named AJ by name. Open-mouthed smile 

This is what the error message looks like:

ERROR:
ERROR: Specified attribute contains ‘=’, did you perhaps mean this as an LDAP filter and forgot -f?
ERROR: Argument in question [&(objectclass=user)(samaccountname=someid)]
ERROR:

Type AdFind /help or AdFind /? for usage assistance.

or in the case where you have a filter but don’t specify what looks like a filter you get this:

ERROR:
ERROR: Filter missing ‘=’.
ERROR: Filter value [objectclass]
ERROR:

Type AdFind /help or AdFind /? for usage assistance.

So if you know AJ, go ahead and razz him. This fix has probably saved me about 500 questions a year. Hot smile

Another fun change that I have wanted for some time is auto-decode of attributeSecurityGUID in the Schema output. It is always a pain to chase that manually and doing this is likely going to save me a lot of time every year as well.

For example:

[Sat 01/11/2020  0:15:41.68]+
E:\DEV\cpp\vs\AdFind\Release>adfind -sc s:* -af attributesecurityguid=* ldapdisplayname attributesecurityguid -maxe 5

AdFind V01.52.00cpp Joe Richards (support@joeware.net) January 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=Account-Expires,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: accountExpires
> attributeSecurityGUID: {4C164200-20C0-11D0-A768-00AA006E0529} [Account Restrictions]

dn:CN=Admin-Description,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
>lDAPDisplayName: adminDescription
> attributeSecurityGUID: {59BA2F42-79A2-11D0-9020-00C04FC2D3CF} [General Information]

dn:CN=Allowed-Attributes,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: allowedAttributes
> attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]

dn:CN=Allowed-Attributes-Effective,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> lDAPDisplayName: allowedAttributesEffective
> attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]

dn:CN=Allowed-Child-Classes,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
>lDAPDisplayName: allowedChildClasses
>attributeSecurityGUID: {E48D0154-BCF8-11D1-8702-00C04FB96050} [Public Information]

5 Objects returned

And the last few things I am going to mention that are kind of cool are some beta features that I know still need more work but wanted to get this out there… Regular Expression capability for filtering output and outputting MSA/gMSA passwords. I don’t have much to say other than it is there but is still a work in progress. There is a new usage page for regular expressions that you access with “–regex?”.If you find something that isn’t working or something that could be done in a different way to make it more useful please email me at support@joeware.net and let me know.

   joe

Rating 3.50 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]