search

lithnet / ad-password-protection

Active Directory password filter featuring breached password checking and custom complexity rules
MIT License
496 stars 52 forks source link

Test-IsADUserPasswordCompromised : Access is denied #80

Closed anon474 closed 2 years ago

anon474 commented 2 years ago

Running powershell as admin while logged in as a domain admin on domain control Server 2012R2. I get the following error.

Test-IsADUserPasswordCompromised : Access is denied At line:1 char:1

running the TestIsADUserPasswordCompromised.ps1 script I receive the follow error as well. PS C:\password-protection> .\TestIsADUserPasswordCompromised.ps1 WARNING: User Guest has a null UPN WARNING: User Administrator has a null UPN WARNING: User krbtgt has a null UPN WARNING: User IUSR_W2K8AB1 has a null UPN Test-IsADUserPasswordCompromised : CRC check failed. At C:\password-protection\TestIsADUserPasswordCompromised.ps1:31 char:15

Tested removing domain admin out of protected User group, rebooted DC, verified that NET Framework 4.6, PowerShell 5 ,Microsoft Visual C++ Runtime 14 (2017) or new are installed.

ryannewington commented 2 years ago

Can you type the following after the first error you showed

$error[0].Exception.ToString()

and paste the results here.

Check to see that you have "Replicate directory changes all" permission on the top level domain object in AD users and computers. Admins have this by default, but it may have been changed.

anon474 commented 2 years ago

PS C:\password-protection> $error[0].Exception.ToString() System.UnauthorizedAccessException: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at DSInternals.Common.Validator.AssertSuccess(Win32ErrorCode code) at DSInternals.Replication.Interop.DrsConnection.Bind(IntPtr rpcHandle) at DSInternals.Replication.Interop.DrsConnection..ctor(IntPtr rpcHandle, Guid clientDsa) at DSInternals.Replication.DirectoryReplicationClient..ctor(String server, RpcProtocol protocol, NetworkCredential cr edential) at Lithnet.ActiveDirectory.PasswordProtection.PowerShell.TestIsADUserPasswordCompromised.BeginProcessing() in D:\dev\ git\lithnet\ad-password-protection\src\PasswordProtectionPS\TestIsADUserPasswordCompromised.cs:line 40 at System.Management.Automation.Cmdlet.DoBeginProcessing() at System.Management.Automation.CommandProcessorBase.DoBegin()

I double verified that "Replicate directory changes all" permission are set to Allow for Domain Admins.

ryannewington commented 2 years ago

This is a strange one. Your account is being denied permission to connect to the replication service via RPC. Are you using any RPC blockers/firewalls? There has to be something non-standard in play if you are running this as a DA, on a DC, and have the replicate directory changes all right.

anon474 commented 2 years ago

There are no RPC blockers/firewalls that I can find. The windows firewall is not even enabled on the DC. I ran the RPC test script here https://devblogs.microsoft.com/scripting/testing-rpc-ports-with-powershell-and-yes-its-as-much-fun-as-it-sounds/ and the ports it test show they are reachable.

ryannewington commented 2 years ago

Hi @anon474

I'm not really sure what could be blocking your access here. There is definitely something interfering and denying the connection to the replication endpoint. The code is getting an 'access denied' error when trying to bind to the RPC endpoint. Possibly anti-malware software interfering?

The only things technically needed for this to work are DA rights (or replicate directory changes all), and running on a DC. something else unique to your environment is in play, but unfortunately, I can't guess as to what it is.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.