search

TrimarcJake / Locksmith

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
https://github.com/TrimarcJake/Locksmith
Other
901 stars 89 forks source link

Bug Fix for SafeUsers when groups are empty #148

Closed techBrandon closed 4 months ago

techBrandon commented 4 months ago

When using the += adding an empty value still increments the count of the object and therefore when adding the pipe between entries it will result in a double pipe.

This double pipe causes problems in the Find-ESC1.ps1 script when the $SafeUsers variable is evaluated causing the "($SID -notmatch $SafeUsers)" to wrongfully fail. This results in false-negative reporting for any checks using this this type of logic.

The existence of the empty item in $SafeUsers will always match on any $SID and therefore no templates will ever report as being misconfigured.

SamErde commented 4 months ago

Woah, awesome find, Brandon! I'd love to see this bug reproduced if possible. Happy to see a simple fix either way!

TrimarcJake commented 4 months ago

Merged into testing. Will be part of 2024.8!

SamErde commented 4 months ago

@TrimarcJake The block of code this lives in could live well in its own function. Might add to the backlog.