MVP

 

Dear Microsoft Active Directory friends,

 

This article is about searching delegated permissions (password reset) in Active Directory.

 

The following situation: You "inherit" a new customer. Now you would like to know, did the "predecessor" work with delegated permissions? For example, a person/group in an organizational unit was authorized to reset the password for all users in this OU. Honestly, this is a difficult task to determine.

 

Not only does Microsoft hide them in Users and Computers by default, but there is no built-in tool to get an overview of how permissions have been applied in AD. Now the PowerShell comes into play.

 

I have run the script on a domain controller and the output appears in out-gridview format (if there is a match). Please do not forget to adjust the ldap path in the script.

 

$filter = "(|(objectClass=domain)(objectClass=organizationalUnit)(objectClass=group)(sAMAccountType=805306368)(objectCategory=Computer))"

#("LDAP://DOMAINCONTROLLER/LDAP") Replace DOMAINCONTROLLER AND LDAP with your values
$bSearch = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC01/DC=zodiac,DC=local")
$dSearch = New-Object System.DirectoryServices.DirectorySearcher($bSearch)
$dSearch.SearchRoot = $bSearch
$dSearch.PageSize = 1000
$dSearch.Filter = $filter
$dSearch.SearchScope = "Subtree"

 

$extPerms = `
'00299570-246d-11d0-a768-00aa006e0529', #reset password
'0'

$results = @()

foreach ($objResult in $dSearch.FindAll())
{
$obj = $objResult.GetDirectoryEntry()

Write-Host "Searching... " $obj.distinguishedName

$permissions = $obj.PsBase.ObjectSecurity.GetAccessRules($true,$false,[Security.Principal.NTAccount])

$results += $permissions | Where-Object { `
$_.AccessControlType -eq 'Allow' -and ($_.ObjectType -in $extPerms) -and $_.IdentityReference -notin ('NT AUTHORITY\SELF', 'NT AUTHORITY\SYSTEM', 'S-1-5-32-548') `
} | Select-Object `
@{n='Object'; e={$obj.distinguishedName}},
@{n='Account'; e={$_.IdentityReference}},
@{n='Permission'; e={$_.ActiveDirectoryRights}}

}

#The output directly in Out-GridView
$results | Out-GridView

_AD_Search.JPG

 

You can also find the script here under the following link:

https://github.com/tomwechsler/Active_Directory_mit_der_PowerShell_verwalten/blob/main/Search_delega...

 

I hope this article was helpful for you? Thank you for taking the time to read this article.

 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

www.000webhost.com