Fix AZResetPassword false positives

BloodHoundAD / BloodHound

Six Degrees of Domain Admin

GNU General Public License v3.0

9.62k stars 1.7k forks source link

Fix AZResetPassword false positives #632

Closed simondotsh closed 1 year ago

simondotsh commented 1 year ago

Some roles cannot reset the password of users that either own or are members of role-assignable groups. The queries to create AZResetPassword edges have been modified to take this into account for the following roles:

Helpdesk Administrator
Authentication Administrator
Password Administrator
User Administrator

simondotsh commented 1 year ago

I validated the queries with a large data set, and they are far too expensive. I will reopen a pull request whenever I found a proper fix.