Closed rafalfitt closed 1 year ago
Hello @rafalfitt ! Can you provide the full command you used when generating this issue?
Hello @TrimarcJake
. "C:\Users\Administrator.xxx\Desktop\Invoke-Locksmith.ps1" -Mode 1
this error (and https://github.com/TrimarcJake/Locksmith/issues/10 ) is reported when using RDP connection with "Restricted Admin" mode enabled.
Same.
You cannot call a method on a null-valued expression. At ----------------\Invoke-Locksmith.ps1:363 char
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
PowerShell 7 is a bit more verbose
Success Restart Needed Exit Code Feature Result
True No NoChangeNeeded {}
Get-ADObject: Variable: 'CAHostName' found in expression: $CAHostName is not defined.
126
Get-ADObject: Variable: 'CAHostName' found in expression: $CAHostName is not defined.
126
Get-ADObject: Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
Get-ADObject: Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
InvalidOperation: ------- \Invoke-Locksmith.ps1:363
Line |
363 | $Issue | Add-Member -MemberType NoteProperty -Name Forest .
| ~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.
@appelboom are you using Restricted admin mode also?
Restricted admin mode
Yes, Enabled. If I set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin=1 it runs fine
This is in our next sprint!
@appelboom @rafalfitt
The solution we are considering for this issue is to prompt for credentials at the beginning of the script... but that sort of ruins the point of using Restricted Admin mode. However, we'd be willing to institute this change with a very strongly worded warning + confirmation required.
Would you consider this issue resolved with this solution?
Hi, Yes. No concerns
On Wed, 23 Nov 2022 at 04:02, Jake Hildreth @.***> wrote:
@appelboom https://github.com/appelboom @rafalfitt https://github.com/rafalfitt
The solution we are considering for this issue is to prompt for credentials at the beginning of the script... but that sort of ruins the point of using Restricted Admin mode. However, we'd be willing to institute this change with a very strongly worded warning + confirmation required.
Would you consider this issue resolved with this solution?
— Reply to this email directly, view it on GitHub https://github.com/TrimarcJake/Locksmith/issues/9#issuecomment-1324178167, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFCNFIKTZQXRPD3TDVCDW2TWJURFJANCNFSM6AAAAAARTPULOE . You are receiving this because you were mentioned.Message ID: @.***>
-- Kind regards Eric Appelboom CISA CISM CRISC CISSP-ISSAP CSSLP CGEIT CEH CCSE MCITP ITIL TOGAF MInfoSysSecurity SEC+ MCSA(SECURITY) MCSE MCTS MCITP http://www.linkedin.com/in/eappelboom
Yes, warning is OK + IMHO it is enough in such situation.
Is this the same issue?
Is this the same issue?
Yep, same issue. Restricted admin mode doesn't allow credentials to be passed, so those AD cmdlets fail. https://github.com/TrimarcJake/Locksmith/pull/16 should fix this
@0x11DFE @rafalfitt @appelboom
The changes required for proper operation in Restricted Admin Mode are now included in the testing branch. Would you mind testing in your environment?
@0x11DFE @rafalfitt @appelboom
The changes required for proper operation in Restricted Admin Mode are now included in the testing branch. Would you mind testing in your environment?
I just tried and I am having the same exact issue.
@0x11DFE Can you please provide the full command you supplied when you get this error? The updated code should warn you that Restricted Admin Mode is enabled and instruct you to run again passing the -Credential
argument with domain\username
as a value.
@0x11DFE also, make sure you are using the testing branch. We have not pushed these changes to main yet.
@0x11DFE also, make sure you are using the testing branch. We have not pushed these changes to main yet.
I am.
@0x11DFE Can you please provide the full command you supplied when you get this error? The updated code should warn you that Restricted Admin Mode is enabled and instruct you to run again passing the
-Credential
argument withdomain\username
as a value.
I don't have any passwords on this computer.
PS C:\Users\***\Desktop> .\Invoke-Locksmith.ps1
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:75 char:22
+ $DNSRoot = [string]((Get-ADForest).RootDomain | Get-ADDomain).DNSRoot
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:76 char:35
+ $EnterpriseAdminsSID = ([string]((Get-ADForest).RootDomain | Get-ADDo ...
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
New-Object : A constructor was not found. Cannot find an appropriate constructor for type
System.Security.Principal.SecurityIdentifier.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:77 char:19
+ ... rredOwner = New-Object System.Security.Principal.SecurityIdentifier($ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
Get-ADForest : The term 'Get-ADForest' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:114 char:25
+ $Targets = (Get-ADForest).Name
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADForest:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Install-WindowsFeature : The term 'Install-WindowsFeature' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:632 char:5
+ Install-WindowsFeature -Name RSAT-AD-PowerShell
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Install-WindowsFeature:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Gathering AD CS Objects from ...
Get-ADCSObject : Cannot bind argument to parameter 'Targets' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:646 char:44
+ $ADCSObjects = Get-ADCSObject -Targets $Targets
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-ADCSObject], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-ADCSObject
Set-AdditionalCAProperty : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:647 char:43
+ Set-AdditionalCAProperty -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-AdditionalCAProperty], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Set-AdditionalCAProperty
Get-CAHostObject : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:648 char:51
+ $ADCSObjects += Get-CAHostObject -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-CAHostObject], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-CAHostObject
Get-CAHostObject : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:649 char:46
+ $CAHosts = Get-CAHostObject -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-CAHostObject], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-CAHostObject
The property 'Name' cannot be found on this object. Verify that the property exists.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:650 char:33
+ $CAHosts | ForEach-Object { $SafeUsers += '|' + $_.Name }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
Identifying auditing issues...
Find-AuditingIssue : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:656 char:58
+ [array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-AuditingIssue], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-AuditingIssue
Identifying AD CS templates with dangerous configurations...
Find-ESC1 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:661 char:39
+ [array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC1], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC1
Find-ESC2 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:662 char:39
+ [array]$ESC2 = Find-ESC2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC2], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC2
Identifying AD CS template and other objects with poor access control...
Find-ESC4 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:667 char:39
+ [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC4], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC4
Find-ESC5 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:668 char:39
+ [array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUs ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC5], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC5
Find-ESC6 : Cannot bind argument to parameter 'ADCSObjects' because it is null.
At C:\Users\***\Desktop\Invoke-Locksmith.ps1:669 char:39
+ [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Find-ESC6], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Find-ESC6
If you look at the first error message in your output, it would appear as though you do not have RSAT tools installed.
It also looks like you're running this from a non-server os since you're also getting this error message
Locksmith currently only supports installing RSAT AD PowerShell cmdlets via the server Install-WindowsFeature
cmdlet. For Windows10 if you wanted to install ALL RSAT features, you could use this command:
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
Or if you just want the ActiveDirectory PowerShell cmdlets, this should work:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
After you've installed the appropriate PowerShell cmdlets, be sure to use the testing branch and try to run Locksmith again. Please let us know if that resolves your issue.
Didn't do it
Are you running Locksmith using a DOMAIN account? Unfortunately, your screenshot doesn't provide a lot of information to go on. I'd recommend trying to troubleshoot your connection with the Domain/ADCS first by trying things like: Get-ADForest
and certutil.exe -ping <ADCS server>
.
Are you running Locksmith using a DOMAIN account? Unfortunately, your screenshot doesn't provide a lot of information to go on. I'd recommend trying to troubleshoot your connection with the Domain/ADCS first by trying things like:
Get-ADForest
andcertutil.exe -ping <ADCS server>
.
I am testing it on my local system account, Am I not supposed to?
I am testing it on my local system account, Am I not supposed to?
Running Locksmith as a local account will not work in a properly configured Active Directory. Part of hardening AD is removing anonymous access to the directory. In very old AD environments that needed compatibility with NT4 domains, it may work correctly with a local account, but that's certainly not an expected use case.
Instead, Locksmith should be run in the context of a standard domain user. It's only been tested on domain-joined Windows machines, but I believe it should be able to work on a standalone computer if you use the -Credential switch.
You cannot call a method on a null-valued expression. At C:\Users\Administrator.xxx\Desktop\Invoke-Locksmith.ps1:336 char:13