Who can reset the CISO’s password?

Get-ADUser -Filter {(Description -Like “*”) -and (Description -NotLike “*Service*”) -and (Description -NotLike “*IT*”) -and (Description -NotLike “*Project*”) } -Properties * | Select-Object Name, Description
Set-ADUser ElizabethMyers -Description “CISO”
(Get-ADUser -Filter {Description -Like “CISO”} -Prop *).SamAccountName
(Get-Acl ((Get-ADUser ElizabethMyers -Properties *).DistinguishedName)).Access | Where {$_.IdentityReference -like “*Domain Admins*”}
Import-Module ActiveDirectory
Set-Location AD:
$user = (Get-ADUser "ElizabethMyers" -Properties *).DistinguishedName
$owner = (Get-Acl $user).owner
Write-Host "$owner owns this object. Owners have implicit privilege to do anything."
((Get-ACL $user).Access | Where {((($_.ActiveDirectoryRights -like "*WriteProperty*") -and (($_.ObjectType -eq "00299570-246d-11d0-a768-00aa006e0529") -or ($_.ObjectType -eq "00000000-0000-0000-0000-000000000000"))) -or ($_.ActiveDirectoryRights -like "*GenericWrite*") -or ($_.ActiveDirectoryRights -like "*GenericAll*")) -and ($_.AccessControlType -eq "Allow")}).IdentityReference | Sort-Object -Unique
  • As we saw above, other rights such as Full Control include resetting the password
  • This only lists the groups, not all the accounts nested in them
  • Multiple groups had the rights in question
  • The same users were in multiple groups that had the rights
  • Groups that had the rights were nested in other groups that also had the rights
Import-Module Active Directory
Set-Location AD:
$ErrorActionPreference = "SilentlyContinue"
$User = (Get-ADUser "ElizabethBrown" -Properties *).DistinguishedName
$owner = (Get-Acl $User).owner
Write-Host "$owner owns this object. Owners have implicit privilege to do anything."
$suspects = ((Get-ACL $User).Access | Where {((($_.ActiveDirectoryRights -like "*ExtendedRight*") -and (($_.ObjectType -eq "00299570-246d-11d0-a768-00aa006e0529") -or ($_.ObjectType -eq "00000000-0000-0000-0000-000000000000")) -or ($_.ActiveDirectoryRights -like "*WriteProperty*") -or ($_.ActiveDirectoryRights -like "*GenericWrite*") -or ($_.ActiveDirectoryRights -like "*GenericAll*") -or ($_.ActiveDirectoryRights -like "*WriteDACL*") -or ($_.ActiveDirectoryRights -like "*WriteOwner*")) -and ($_.AccessControlType -like "Allow"))}).IdentityReferenceWrite-Host "These groups can change the given user's pwd. Nested users in those groups listed below:"
$suspects | Sort-Object -Unique
$suspects | Out-File C:\Temp\suspects.txt -Append
ForEach($suspect in $suspects)
{
$temp = ($suspect -split " \ ")[0]
$group = ($temp.Split("\")[1])
$members = (Get-ADGroupMember -Identity $group -Recursive).Name
$members | Out-File C:\Temp\suspects.txt -Append
}
Get-Content C:\Temp\suspects.txt | Sort-Object -Unique

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.