2

I'm trying to find database size of DC which is located in NTDS service. My script is:

$Computer = "abe.com"
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $computer)     

$RegKey=$Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters" 
$NTDSPath = $Regkey.GetValue("DSA Database file") 
$NTDSREMOTEPath =  "\\$computer\$NTDSPath" -replace ":","$" 
$NTDSREMOTEPath = Get-item $NTDSREMOTEPath | Select-Object -ExpandProperty Length 

($NTDSREMOTEPath /1GB).ToString("0.000"+" GB")

After running this I got an error:

Exception calling "OpenSubKey" with "1" argument(s): "Requested registry access is not allowed."
At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:40 char:1
+ $RegKey= $Reg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SecurityException

You cannot call a method on a null-valued expression.
At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:41 char:1
+ $NTDSPath = $Regkey.GetValue("DSA Database file")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Get-item : Cannot find path '\\abc.com\' because it does not exist.
At C:\Users\Documents\HealthCheck\hardwareMonitoring.ps1:43 char:19
+ $NTDSREMOTEPath = Get-item $NTDSREMOTEPath | Select-Object -ExpandProperty Lengt ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\abc.com\:String) [Get-Item], ItemNotFoundE 
   xception
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

I realized that my account does not have enough permission to query this path from regedit SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters.

I decided to login into "abc.com" and added my account with full control and read rights. What I have done was, right click on Parameter choose permissions and add my account in.

I came back to run the script again. I got the same error!

It works with Admin account by the way. I want to execute the query without using a domain admin account.

What's the reason in this case? Thank you so much!

Ender
  • 614
  • 3
  • 9
  • 14
  • @jscott I was really doubtful for this. What can I do more? :( – Ender Nov 20 '17 at 15:02
  • "*It works with Admin account by the way. But I'm trying to mitigate the risk as much as possible.*" Mitigate the risk of what? – Todd Wilcox Nov 20 '17 at 15:12
  • @ToddWilcox I don't wanna run the script with Admin account. It can be abused easily and for some other reasons it's better to run with regular user. – Ender Nov 20 '17 at 15:13
  • Are you trying to run the script one time to get the information or are you trying to schedule the script and/or save the credentials somewhere? If you're just running it one time, then there's no reason to worry about what will happen with admin credentials unless you have a multiple personality disorder. – Todd Wilcox Nov 20 '17 at 15:15
  • I'm trying to schedule the script btw @ToddWilcox – Ender Nov 20 '17 at 15:19
  • 1
    It might be a lot clearer if you explain in your question that what you're really looking for are the minimum privileges and permissions required by an account to execute this query, so you can set up an account with minimum access necessary to be used for a scheduled task. It's not that you can't execute the query at all, it's that you want to know how to execute the query without using a domain admin account. – Todd Wilcox Nov 20 '17 at 15:21
  • 1
    @ToddWilcox , Tks for pointing it out, I have editted :) – Ender Nov 20 '17 at 15:24
  • 1
    This seems unnecessary. It would be far simpler to specify a variable with the path, that could be changed if necessary. The number of organizations with an AD database in a non-default location are actually very small, and most likely have the same path on all domain controllers. – Greg Askew Nov 20 '17 at 15:53

1 Answers1

2

Step 1.

Assigning Permissions to a Registry Key

  1. Click the key that you want to assign permissions.
  2. On the Edit menu, click Permissions.
  3. Click the group or user name that you want to work with.
  4. Assign one of the following access levels to the key: Select the Allow check box for

Read to give permission to read the key contents, but not save any changes. Select the Allow check box for Full Control to give permission to open, edit, and take ownership of the key.

  1. To grant special permission in the key, click Advanced, and then double-click the user or group that you want to assign special access. Under Permissions, select the Allow or the Deny check box for each permission you want to allow or deny.

Step 2.

Windows Server 2003 Domain Controller

  1. Open the Group Policy editor
  2. Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services
  3. In the right hand pane locate Remote Registry
  4. Define the policy, and set the Startup type to Automatic
  5. eboot the clients to apply the policy

Windows Server 2008 or newer Domain Controller

  1. Open the Group Policy editor
  2. Expand Computer Configuration > Policies > Windows Settings > Security Settings > System Services
  3. Find the Remote Registry item and change the Service startup mode to Automatic
  4. Reboot the clients to apply the policy

Step 3.

Open Local Group Policy Editor Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Properties of Network access: Remotely accessible registry paths and sub-paths -> at Local Policies Setting tab add your Registry sub-paths that you wish to query

For example: System\CurrentControlSet\Control\ContentIndex

Ender
  • 614
  • 3
  • 9
  • 14