Enumerating ACLs stalls OS

adrecon / ADRecon

ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.

GNU Affero General Public License v3.0

670 stars 98 forks source link

Enumerating ACLs stalls OS #7

Open Snozzberries opened 2 years ago

Snozzberries commented 2 years ago

Enumerating ACLs in large environments can cause system resource exhaustion in large environments.

I have been able to update the Function Get-ADRACL to include -SearchBase $DnBase and $objSearcherPath.SearchRoot = "LDAP://$DnBase" using an additional property, but that isn't ideal.

The property could be brought into the helper Function Invoke-ADRecon or could be used to iterate through the subtrees as smaller chunks.

Let me know if you want me to merge the -SearchBase and SearchRoot as an example to test with.

prashant3535 commented 2 years ago

That module has been on my todo list for refactor for a while :(

Go for it

Snozzberries commented 2 years ago

I haven't had time to update this into the PR, but I think a quick optimization is to distribute the file writes within a single module. Currently it appears all writes are held in memory until a single write operation at the conclusion of the module.

Here is an example Gist using a subset of the DACL module that iterates over DN Bases and does appending writes. This may not be efficient from a disk IO perspective and may be better to modulo the write frequency. https://gist.github.com/Snozzberries/028dec42f1a253c2ce556aeaedb556f7

prashant3535 commented 2 years ago

I've merged the pull request. Will have a look through the gist and merge the changes when possible. Thank @Snozzberries :)