search

MichaelGrafnetter / DSInternals

Directory Services Internals (DSInternals) PowerShell Module and Framework
https://www.dsinternals.com
MIT License
1.62k stars 250 forks source link

Error handling for illegal characters #149

Open sdbruce1 opened 1 year ago

sdbruce1 commented 1 year ago

Hi Michael,

We use this command in our environment: Get-ADDBAccount -All -DatabasePath $ntds -BootKey $Key | Test-PasswordQuality | Out-File report.txt

During a password audit, DSInternals completed Get-ADDBAccount successfully, but failed when piping results to Test-PasswordQuality. Error code is:

Get-ADDBAccount: Value cannot be null. Parameter name: value At line:1 char:1

We found a malformed object in Active Directory. Some of the attributes have been obscured, but please notice illegal character in DN and absence of name or full FQDN. This issue, as a side note, was caused by improper ASDI edit configuration. DistinguishedName : CN=backslash (the character is omitted by Github so I had to type it out) DNSHostName : .domain Enabled : True Name : ObjectClass : computer ObjectGUID : {Redacted, but valid} SamAccountName : $ SID : {Redacted, but valid} UserPrincipalName :

After removing the object from AD, DSInternals is working as expected again.

Wanting to bring this to your attention in case there is a way to allow the command to continue while excluding any AD object with illegal characters.

Thanks for your time.

MichaelGrafnetter commented 1 year ago

Hi @sdbruce1 , would you please be able to provide a PowerShell command, that would create such an account with a malformed DN?

sdbruce1 commented 1 year ago

Hi Michael, after testing in my lab, I was unable to use Powershell to do such. A member of my team was able to replicate the the malformed object by using ASDI edit. We are investigating an internal tool that has caused that behavior.

MichaelGrafnetter commented 1 year ago

@sdbruce1 I was still not able to replicate the issue: image Could you please give me more hints on creating such an account? Could you please also share the exception stack trace?

sdbruce1 commented 1 year ago

image

sdbruce1 commented 1 year ago

Hi Michael, The account you have listed is a mirror of the account we saw. The issue comes when you run this sequence in powershell: Get-ADDBAccount -All -DatabasePath $ntds -BootKey $Key | Test-PasswordQuality | Out-File C:\users\user\desktop\dsi.txt

It seemed to me that Get-ADDBAccount functions but the pipe to Test Password quality is when we saw value cannot be null. The \ acted as an escape character and resulted in error.