Can't set ShadowCredentials if the target already has one

[GeisericII]

The first run goes fine, then, re-running it, shows Insuffient Access.

Then, flushing it and rerunning, goes smooth again:

Is it possible to add a method to flush the attribute if not empty?

Cheers!

[CravateRouge]

You can already flush the attribute easily with:

bloodyAD -d ace.local -c :administrator.pem --host dc.ace.local setShadowCredentials 'dc$' False

And if you want to remove a specific key:

bloodyAD -d ace.local -c :administrator.pem --host dc.ace.local setShadowCredentials 'dc$' False "" 0e23749e-ca12-b96c-197d-40c381c71852

Also I would be curious to have the output (in a text file) of:

bloodyAD -d ace.local -c :administrator.pem --host dc.ace.local getObjectAttributes 'dc$' nTSecurityDescriptor True

And the number of keys contained in the attribute:

bloodyAD -d ace.local -c :administrator.pem --host dc.ace.local getObjectAttributes 'dc$' msDS-KeyCredentialLink

Because right now, I don't see why you can't add a new key using the modify LDAP function and have to delete all the keys first using the modify LDAP function because it's using the same right. My guess is that you have too much keys registered or you can't have more than one key per user.

[GeisericII]

Oh, my bad for the dumb question and thanks a lot for the quick answer. As for the settings, it's a newly built lab so everything is default and I've always assumed the max for each user is only one key, thus the need to flush it before creating a new one.

[CravateRouge]

Not dumb at all, this issue will help me remember you can only have one key per user ;)

Moreover, I know that the command line of bloodyAD is not always as intuitive as I would like it to be. If you have some suggestions I'm more than open to hear them!

[GeisericII]

Probably adding few more examples in the readme will be enough, I guess. I'm closing as solved, thank you!