Self, perhaps the most arcane of Windows privileges

  • show the ActiveDirectoryRights “Self” first
  • explain why it matters to security
  • contrast it with the IdentityReference “Self”
  • detour a bit down why that matters given Microsoft’s propensity for leaving legacy crap enabled that impacts security to this day
#Give a user Self over a given group
$victim = (Get-ADGroup “Minions” -Properties *).DistinguishedName
$acl = Get-ACL $victim
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity “Mishka”).SID
#Allow Self with all 0s (comment this out to use a specific GUID)
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”Self”,”ALLOW”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Allow Self with specific GUID (comment this out to use all 0s)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,”Self”,”ALLOW”,([GUID](“bf9679c0–0de6–11d0-a285–00aa003049e2”)).guid,”None”,([GUID](“00000000–0000–0000–0000–000000000000”)).guid))
#Apply above ACL rule
Set-ACL $victim $acl
$root = (Get-ADDomain).DistinguishedName ; (Get-Acl “cn=minions,ou=user accounts,$root”).Access | Where-Object {$_.IdentityReference -like “*mishka*”}
(Get-Acl (Get-ADDomain).DistinguishedName).Access | Where-Object {($_.IdentityReference -like “*Pre-Windows 2000*”) -and ($_.ActiveDirectoryRights -like “*GenericRead*”)}
(Get-Acl “cn=ceo,ou=vips,dc=test,dc=local”).Access | Where-Object {($_.IdentityReference -like “*Authenticated Users*”) -and ($_.ActiveDirectoryRights -like “*ReadProperty*”)}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.