cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use PowerShell to search for delegated (password reset) permissions in Active Directory!

TomWechsler
MVP

‎Aug 19 2021 04:16 AM

‎Aug 19 2021 04:16 AM

Use PowerShell to search for delegated (password reset) permissions in Active Directory!

 

Dear Microsoft Active Directory friends,

 

This article is about searching delegated permissions (password reset) in Active Directory.

 

The following situation: You "inherit" a new customer. Now you would like to know, did the "predecessor" work with delegated permissions? For example, a person/group in an organizational unit was authorized to reset the password for all users in this OU. Honestly, this is a difficult task to determine.

 

Not only does Microsoft hide them in Users and Computers by default, but there is no built-in tool to get an overview of how permissions have been applied in AD. Now the PowerShell comes into play.

 

I have run the script on a domain controller and the output appears in out-gridview format (if there is a match). Please do not forget to adjust the ldap path in the script.

 

$filter = "(|(objectClass=domain)(objectClass=organizationalUnit)(objectClass=group)(sAMAccountType=805306368)(objectCategory=Computer))"

#("LDAP://DOMAINCONTROLLER/LDAP") Replace DOMAINCONTROLLER AND LDAP with your values
$bSearch = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC01/DC=zodiac,DC=local")
$dSearch = New-Object System.DirectoryServices.DirectorySearcher($bSearch)
$dSearch.SearchRoot = $bSearch
$dSearch.PageSize = 1000
$dSearch.Filter = $filter
$dSearch.SearchScope = "Subtree"

 

$extPerms = `
'00299570-246d-11d0-a768-00aa006e0529', #reset password
'0'

$results = @()

foreach ($objResult in $dSearch.FindAll())
{
$obj = $objResult.GetDirectoryEntry()

Write-Host "Searching... " $obj.distinguishedName

$permissions = $obj.PsBase.ObjectSecurity.GetAccessRules($true,$false,[Security.Principal.NTAccount])

$results += $permissions | Where-Object { `
$_.AccessControlType -eq 'Allow' -and ($_.ObjectType -in $extPerms) -and $_.IdentityReference -notin ('NT AUTHORITY\SELF', 'NT AUTHORITY\SYSTEM', 'S-1-5-32-548') `
} | Select-Object `
@{n='Object'; e={$obj.distinguishedName}},
@{n='Account'; e={$_.IdentityReference}},
@{n='Permission'; e={$_.ActiveDirectoryRights}}

}

#The output directly in Out-GridView
$results | Out-GridView

_AD_Search.JPG

 

You can also find the script here under the following link:

https://github.com/tomwechsler/Active_Directory_mit_der_PowerShell_verwalten/blob/main/Search_delega...

 

I hope this article was helpful for you? Thank you for taking the time to read this article.

 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

Labels:
6,093 Views
2 Likes
0 Replies
Reply
0 Replies