-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDCSyncRights.ps1
94 lines (80 loc) · 3.56 KB
/
DCSyncRights.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# PowerShell script to check which users and groups have the "DS-Replication-Get-Changes-All" aka DCSync
# Will also check if you are in a forest or not, to retrieve correct user and group names from other domains if needed
# Just specify the domain name as parameter -> Check-DCSync-Principals -domainname YOUR.DOMAIN.COM
# Function to retrieve ACEs
function Get-ACEs($path) {
$dn = (Get-ADComputer -Identity $path -Server $domainName).DistinguishedName
$acl = (Get-ADObject -Identity $dn -Server $domainController -Properties nTSecurityDescriptor).nTSecurityDescriptor.Access
$aces = $acl | Where-Object { $_.ObjectType -eq $extendedRightsCheck -and $_.AccessControlType -eq "Allow" }
foreach ($ace in $aces) {
$usersWithExtendedRights += $ace.IdentityReference
}
}
# Function to determine object type from SID
function Get-ObjectTypeFromSID($sid) {
if (Get-ADForest -Server $domainName) {
$forest = Get-ADForest
$domains = $forest.Domains
} else {
$domains = $domainName
}
foreach ($domain in $domains) {
$adUser = Get-ADUser -Filter { Sid -eq $sid } -Server $domain -ErrorAction SilentlyContinue
if ($adUser) {
return [PSCustomObject]@{
ObjectType = "User"
Domain = $domain
}
}
$adGroup = Get-ADGroup -Filter { Sid -eq $sid } -Server $domain -ErrorAction SilentlyContinue
if ($adGroup) {
return [PSCustomObject]@{
ObjectType = "Group"
Domain = $domain
}
}
}
return [PSCustomObject]@{
ObjectType = "Unknown"
Domain = "Unknown"
}
}
function Check-DCSync-Principals ($domainName){
$extendedRightsCheck = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" # This is the GUID used in the ACE for DS-Replication-Get-Changes-All -> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
$usersWithExtendedRights = @()
# Get domain controller name
$domainController = (Get-ADDomainController -Server $domainName).Name
# Check default domain path
$acl = (Get-ADObject -Filter "objectClass -eq 'domain'" -Server $domainController -Properties nTSecurityDescriptor).nTSecurityDescriptor.Access
$aces = $acl | Where-Object { $_.ObjectType -eq $extendedRightsCheck -and $_.AccessControlType -eq "Allow" }
foreach ($ace in $aces) {
$usersWithExtendedRights += $ace.IdentityReference
}
# Check domain controller path
Get-ACEs -Path $domainController
# Remove duplicates
$usersWithExtendedRights = $usersWithExtendedRights | Select-Object -Unique
# Convert SIDs to usernames and determine object type
$usersWithNames = foreach ($user in $usersWithExtendedRights) {
#$sid = $user.SID
$sidValue = $user.Value
$objectType = Get-ObjectTypeFromSID $sidValue
$name = "Unknown"
$foundDomain = "Unknown"
if ($objectType.ObjectType -eq "User") {
$foundDomain = $objectType.Domain
$name = (Get-ADUser -Identity $sidValue -Server $foundDomain).SamAccountName
} elseif ($objectType.ObjectType -eq "Group") {
$foundDomain = $objectType.Domain
$name = (Get-ADGroup -Identity $sidValue -Server $foundDomain).Name
}
[PSCustomObject]@{
SID = $sidValue
Name = $name
ObjectType = $objectType.ObjectType
Domain = $foundDomain
}
}
# Output the users and groups with extended rights
$usersWithNames | Format-Table
}