Who Can Modify Domain Admins & Asking the Right Question

(Get-Acl ‘cn=Domain Admins,cn=Users,dc=corp,dc=local’).Access | Where {($_.ActiveDirectoryRights -like “*WriteProperty*”) -and (($_.ObjectType -eq “ bf9679c0–0de6–11d0-a285–00aa003049e2”) -or ($_.ObjectType -eq “00000000–0000–0000–0000–000000000000”)) -and ($_.AccessControlType -eq “Allow”)}
(Get-Acl ‘cn=Domain Admins,cn=Users,dc=corp,dc=local’).Access | Where {($_.ActiveDirectoryRights -like “*WriteProperty*”) -and (($_.ObjectType -eq “ bf9679c0–0de6–11d0-a285–00aa003049e2”) -or ($_.ObjectType -eq “00000000–0000–0000–0000–000000000000”)) -or ($_.ActiveDirectoryRights -like “*GenericAll*”) -or ($_.ActiveDirectoryRights -like “*GenericWrite*”) -and ($_.AccessControlType -eq “Allow”)}
(Invoke-ACLScanner -ResolveGUIDs | ?{(($_.ActiveDirectoryRights -like “*WriteDACL*”) -or (($_.ActiveDirectoryRights -like “*WriteProperty*”) -and ($_.ObjectType -eq “bf9679c0–0de6–11d0-a285–00aa003049e2”)) -or ($_.ActiveDirectoryRights -like “*GenericWrite*”) -or ($_.ActiveDirectoryRights -like “*GenericAll*”) -or ($_.ActiveDirectoryRights -like “*WriteDACL*”) -or ($_.ActiveDirectoryRights -like “*WriteOwner*”) -or ($_.ActiveDirectoryRights -like “*Self*”)) -and ($_.ObjectDN -like “*Domain Admins*”) -and ($_.AccessControlType -eq “Allow”)}).IdentityReference
$ErrorActionPreference = “SilentlyContinue”
Import-Module ActiveDirectory
Set-Location AD:
$DN = (Get-ADGroup -Identity “Domain Admins” -Properties *).DistinguishedName$owner = (Get-Acl $DN).owner
Write-Host "$owner owns this object. Owners have implicit privilege to do anything."
((Get-ACL $DN).Access | Where {((($_.ActiveDirectoryRights -like "*WriteProperty*") -and (($_.ObjectType -eq "bf9679c0-0de6-11d0-a285-00aa003049e2") -or ($_.ObjectType -eq "00000000-0000-0000-0000-000000000000"))) -or ($_.ActiveDirectoryRights -like "*GenericWrite*") -or ($_.ActiveDirectoryRights -like "*GenericAll*") -or ($_.ActiveDirectoryRights -like "*WriteDACL*") -or ($_.ActiveDirectoryRights -like "*WriteOwner*") -or (($_.ActiveDirectoryRights -like "*Self*") -and (($_.ObjectType -eq "bf9679c0-0de6-11d0-a285-00aa003049e2") -or ($_.ObjectType -eq "00000000-0000-0000-0000-000000000000"))) -and ($_.AccessControlType -eq "Allow"))}).IdentityReference
$ErrorActionPreference = "SilentlyContinue"
Import-Module ActiveDirectory
Set-Location AD:
$GroupInQuestion = Read-Host "Please enter an AD group"
$DN = (Get-ADGroup -Identity $GroupInQuestion -Properties *).DistinguishedName
$owner = (Get-Acl $DN).owner
Write-Host "$owner owns this object. Owners have implicit privilege to do anything."
$suspects = ((Get-ACL $DN).Access | Where {((($_.ActiveDirectoryRights -like "*WriteProperty*") -and (($_.ObjectType -eq "bf9679c0-0de6-11d0-a285-00aa003049e2") -or ($_.ObjectType -eq "00000000-0000-0000-0000-000000000000"))) -or ($_.ActiveDirectoryRights -like "*GenericWrite*") -or ($_.ActiveDirectoryRights -like "*GenericAll*") -or ($_.ActiveDirectoryRights -like "*WriteDACL*") -or ($_.ActiveDirectoryRights -like "*WriteOwner*") -or (($_.ActiveDirectoryRights -like "*Self*") -and (($_.ObjectType -eq "bf9679c0-0de6-11d0-a285-00aa003049e2") -or ($_.ObjectType -eq "00000000-0000-0000-0000-000000000000"))) -and ($_.AccessControlType -eq "Allow"))}).IdentityReferenceWrite-Host "These groups can change the given group. Nested users in those groups listed below:"
$suspects = $suspects -replace "Value"," "
$suspects | Out-File C:\Temp\suspects.txt -Append
ForEach($suspect in $suspects)
{
$temp = ($suspect -split " \ ")[0]
$group = ($temp.Split("\")[1])
$members = (Get-ADGroupMember -Identity $group -Recursive).Name
$members | Out-File C:\Temp\suspects.txt -Append
}
Get-Content C:\Temp\suspects.txt | Sort-Object -Unique
$Count = (Get-Content C:\Temp\suspects.txt | Sort-Object -Unique).count
Write-Host "$Count users & groups can screw with the specified group"

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.