Cool34000
commented
2 years ago Thanks, it worked for me too
Closed licorsec closed 2 weeks ago
Cool34000
commented
2 years ago Thanks, it worked for me too
Cool34000
commented
2 years ago Update AdAudit.ps1 #20
Cool34000
commented
2 years ago Can be closed as per #20
superswan
commented
8 months ago I am having a similar issue with Find-DangerousACLPermissions on Server 2012 R2
Modifying the function to use the old syntax no longer produces an error but I'm not able to confirm whether it's working properly at this time.
$acl = (Get-Acl AD:$computer).Access (using $object.DistinguishedName) produces a type error.
#Specify the ACLs and Groups to check against
$dangerousAces = @('GenericAll', 'GenericWrite', 'ForceChangePassword', 'WriteDacl', 'WriteOwner', 'Delete')
$groupsToCheck = @('NT AUTHORITY\Authenticated Users', 'DOMAIN\Domain Users', 'Everyone')
# Find dangerous permissions on Computers
$computers = Get-ADObject -Filter { objectClass -eq 'computer' -and objectCategory -eq 'computer' } -Properties *
$computerResults = foreach ($computer in $computers) {
try {
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($computer.DistinguishedName)"
$acl = (Get-Acl AD:$computer).Access
}
catch {
Write-Warning "Could not retrieve ACL for computer '$computer': $_"
continue
}
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'Computer'
ObjectName = $computer
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on computers" -Status "Computers searched: $($computers.IndexOf($computer) + 1)/$($computers.Count)" -PercentComplete (($computers.IndexOf($computer) + 1) / $computers.Count * 100)
}
# Find dangerous permissions on groups
$groups = Get-ADObject -Filter { objectClass -eq 'group' -and objectCategory -eq 'group' } -Properties *
$groupResults = foreach ($group in $groups) {
try {
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($group.DistinguishedName)"
$acl = (Get-Acl AD:$group).Access
}
catch {
Write-Warning "Could not retrieve ACL for group '$group': $_"
continue
}
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'Group'
ObjectName = $group
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on groups" -Status "Groups searched: $($groups.IndexOf($group) + 1)/$($groups.Count)" -PercentComplete (($groups.IndexOf($group) + 1) / $groups.Count * 100)
}
# Find dangerous permissions on users
$users = Get-ADObject -Filter { objectClass -eq 'user' -and objectCategory -eq 'person' } -Properties *
$userResults = foreach ($user in $users) {
$acl = $null
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($user.DistinguishedName)"
$acl = (Get-Acl AD:$user).Access
if ($acl) {
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'User'
ObjectName = $user
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on users" -Status "Users searched: $($users.IndexOf($user) + 1)/$($users.Count)" -PercentComplete (($users.IndexOf($user) + 1) / $users.Count * 100)
}
}
# Output results
if ($computerResults) {
$computerResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "Computer" } }, @{ Label = "Computer Name"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$computerResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType | Out-File $outputdir\dangerousACL_Computer.txt -Encoding UTF8
Write-Both " [!] Issue identified, vulnerable ACL on Computer, see $outputdir\dangerousACL_Computer.txt"
Write-Nessus-Finding "Weak Computer Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACL_Computer.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any computer."
}
if ($groupResults) {
$groupResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "Group" } }, @{ Label = "Group Name"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$groupResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType, ActiveDirectoryRights | Out-File $outputdir\dangerousACL_Groups.txt
Write-Both " [!] Issue identified, vulnerable ACL on Group, see $outputdir\dangerousACL_Groups.txt"
Write-Nessus-Finding "Weak Group Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACL_Groups.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any group."
}
if ($userResults) {
$userResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "User" } }, @{ Label = "User"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$userResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType, ActiveDirectoryRights | Out-File $outputdir\dangerousACLUsers.txt
Write-Both " [!] Issue identified, vulnerable ACL on User, see $outputdir\dangerousACLUsers.txt"
Write-Nessus-Finding "Weak User Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACLUsers.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any user."
}Edit for clarity
thehodown
commented
2 weeks ago I've found that the 'old' syntax works on 2016 DCs, but produces errors on some objects (for example with a \ in the distinguished name). I've therefore added this if statement for when Get-Acl is run, it'll probably need to be updated to include support for server 2025:
if ($OSVersion -like "Windows Server 2019*" -or $OSVersion -like "Windows Server 2022*") {
$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($group.DistinguishedName)"} else {
$acl = Get-Acl AD:\$group}Have done this for $group, $user and $computer where Get-Acl is called.
It'll still error on some objects with specific characters in their name when run on 2016 systems, but this seems to be the best overall option for compatability.
phillips321
commented
2 weeks ago @thehodown you think this is fixed and we can close the issue?
I was getting a "Get-Acl : The object name has bad syntax" when the Get-OUPerms function was running. According to this reddit post, it's a known issue. I simply changed
Get-Acl AD:$objecttoGet-Acl "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$object"and everything seems to be working again. By the way, thanks for taking the time to create and share this script. It pulls all the good stuff I would care about and saved me many hours by not having to put something together myself.