Use PowerShell to search for delegated (password reset) permissions in Active Directory!

%3CLINGO-SUB%20id%3D%22lingo-sub-2664614%22%20slang%3D%22en-US%22%3EUse%20PowerShell%20to%20search%20for%20delegated%20(password%20reset)%20permissions%20in%20Active%20Directory!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2664614%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDear%20Microsoft%20Active%20Directory%20friends%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20is%20about%20searching%20delegated%20permissions%20(password%20reset)%20in%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20situation%3A%20You%20%22inherit%22%20a%20new%20customer.%20Now%20you%20would%20like%20to%20know%2C%20did%20the%20%22predecessor%22%20work%20with%20delegated%20permissions%3F%20For%20example%2C%20a%20person%2Fgroup%20in%20an%20organizational%20unit%20was%20authorized%20to%20reset%20the%20password%20for%20all%20users%20in%20this%20OU.%20Honestly%2C%20this%20is%20a%20difficult%20task%20to%20determine.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20only%20does%20Microsoft%20hide%20them%20in%20Users%20and%20Computers%20by%20default%2C%20but%20there%20is%20no%20built-in%20tool%20to%20get%20an%20overview%20of%20how%20permissions%20have%20been%20applied%20in%20AD.%26nbsp%3BNow%20the%20PowerShell%20comes%20into%20play.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20run%20the%20script%20on%20a%20domain%20controller%20and%20the%20output%20appears%20in%20out-gridview%20format%20(if%20there%20is%20a%20match).%26nbsp%3BPlease%20do%20not%20forget%20to%20adjust%20the%20ldap%20path%20in%20the%20script.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24filter%20%3D%20%22(%7C(objectClass%3Ddomain)(objectClass%3DorganizationalUnit)(objectClass%3Dgroup)(sAMAccountType%3D805306368)(objectCategory%3DComputer))%22%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%23(%22LDAP%3A%2F%2FDOMAINCONTROLLER%2FLDAP%22)%20Replace%20DOMAINCONTROLLER%20AND%20LDAP%20with%20your%20values%3C%2FSTRONG%3E%3CBR%20%2F%3E%24bSearch%20%3D%20New-Object%20System.DirectoryServices.DirectoryEntry(%22LDAP%3A%2F%2FDC01%2FDC%3Dzodiac%2CDC%3Dlocal%22)%20%3CBR%20%2F%3E%24dSearch%20%3D%20New-Object%20System.DirectoryServices.DirectorySearcher(%24bSearch)%3CBR%20%2F%3E%24dSearch.SearchRoot%20%3D%20%24bSearch%3CBR%20%2F%3E%24dSearch.PageSize%20%3D%201000%3CBR%20%2F%3E%24dSearch.Filter%20%3D%20%24filter%3CBR%20%2F%3E%24dSearch.SearchScope%20%3D%20%22Subtree%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24extPerms%20%3D%20%60%3CBR%20%2F%3E'00299570-246d-11d0-a768-00aa006e0529'%2C%20%23reset%20password%3CBR%20%2F%3E'0'%3C%2FP%3E%0A%3CP%3E%24results%20%3D%20%40()%3C%2FP%3E%0A%3CP%3Eforeach%20(%24objResult%20in%20%24dSearch.FindAll())%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24obj%20%3D%20%24objResult.GetDirectoryEntry()%3C%2FP%3E%0A%3CP%3EWrite-Host%20%22Searching...%20%22%20%24obj.distinguishedName%3C%2FP%3E%0A%3CP%3E%24permissions%20%3D%20%24obj.PsBase.ObjectSecurity.GetAccessRules(%24true%2C%24false%2C%5BSecurity.Principal.NTAccount%5D)%3CBR%20%2F%3E%3CBR%20%2F%3E%24results%20%2B%3D%20%24permissions%20%7C%20Where-Object%20%7B%20%60%3CBR%20%2F%3E%24_.AccessControlType%20-eq%20'Allow'%20-and%20(%24_.ObjectType%20-in%20%24extPerms)%20-and%20%24_.IdentityReference%20-notin%20('NT%20AUTHORITY%5CSELF'%2C%20'NT%20AUTHORITY%5CSYSTEM'%2C%20'S-1-5-32-548')%20%60%3CBR%20%2F%3E%7D%20%7C%20Select-Object%20%60%3CBR%20%2F%3E%40%7Bn%3D'Object'%3B%20e%3D%7B%24obj.distinguishedName%7D%7D%2C%20%3CBR%20%2F%3E%40%7Bn%3D'Account'%3B%20e%3D%7B%24_.IdentityReference%7D%7D%2C%3CBR%20%2F%3E%40%7Bn%3D'Permission'%3B%20e%3D%7B%24_.ActiveDirectoryRights%7D%7D%3C%2FP%3E%0A%3CP%3E%7D%3C%2FP%3E%0A%3CP%3E%23The%20output%20directly%20in%20Out-GridView%3CBR%20%2F%3E%24results%20%7C%20Out-GridView%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_AD_Search.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F304368i7CAF1B1BE107F3BA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_AD_Search.JPG%22%20alt%3D%22_AD_Search.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20find%20the%20script%20here%20under%20the%20following%20link%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%2FActive_Directory_mit_der_PowerShell_verwalten%2Fblob%2Fmain%2FSearch_delegated_permissions.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%2FActive_Directory_mit_der_PowerShell_verwalten%2Fblob%2Fmain%2FSearch_delegated_permissions.ps1%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20article%20was%20helpful%20for%20you%3F%20Thank%20you%20for%20taking%20the%20time%20to%20read%20this%20article.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EP.S.%20All%20scripts%20(%23PowerShell%2C%20Azure%20CLI%2C%20%23Terraform%2C%20%23ARM)%20that%20I%20use%20can%20be%20found%20on%20github!%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2664614%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDelegated%20permissions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
MVP

 

Dear Microsoft Active Directory friends,

 

This article is about searching delegated permissions (password reset) in Active Directory.

 

The following situation: You "inherit" a new customer. Now you would like to know, did the "predecessor" work with delegated permissions? For example, a person/group in an organizational unit was authorized to reset the password for all users in this OU. Honestly, this is a difficult task to determine.

 

Not only does Microsoft hide them in Users and Computers by default, but there is no built-in tool to get an overview of how permissions have been applied in AD. Now the PowerShell comes into play.

 

I have run the script on a domain controller and the output appears in out-gridview format (if there is a match). Please do not forget to adjust the ldap path in the script.

 

$filter = "(|(objectClass=domain)(objectClass=organizationalUnit)(objectClass=group)(sAMAccountType=805306368)(objectCategory=Computer))"

#("LDAP://DOMAINCONTROLLER/LDAP") Replace DOMAINCONTROLLER AND LDAP with your values
$bSearch = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC01/DC=zodiac,DC=local")
$dSearch = New-Object System.DirectoryServices.DirectorySearcher($bSearch)
$dSearch.SearchRoot = $bSearch
$dSearch.PageSize = 1000
$dSearch.Filter = $filter
$dSearch.SearchScope = "Subtree"

 

$extPerms = `
'00299570-246d-11d0-a768-00aa006e0529', #reset password
'0'

$results = @()

foreach ($objResult in $dSearch.FindAll())
{
$obj = $objResult.GetDirectoryEntry()

Write-Host "Searching... " $obj.distinguishedName

$permissions = $obj.PsBase.ObjectSecurity.GetAccessRules($true,$false,[Security.Principal.NTAccount])

$results += $permissions | Where-Object { `
$_.AccessControlType -eq 'Allow' -and ($_.ObjectType -in $extPerms) -and $_.IdentityReference -notin ('NT AUTHORITY\SELF', 'NT AUTHORITY\SYSTEM', 'S-1-5-32-548') `
} | Select-Object `
@{n='Object'; e={$obj.distinguishedName}},
@{n='Account'; e={$_.IdentityReference}},
@{n='Permission'; e={$_.ActiveDirectoryRights}}

}

#The output directly in Out-GridView
$results | Out-GridView

_AD_Search.JPG

 

You can also find the script here under the following link:

https://github.com/tomwechsler/Active_Directory_mit_der_PowerShell_verwalten/blob/main/Search_delega...

 

I hope this article was helpful for you? Thank you for taking the time to read this article.

 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

0 Replies
www.000webhost.com