-1

Can someone please help me with the following

I am trying to do something very similar to this post

Powershell: How do you set the Read/Write Service Principal Name AD Permissions?

Basically I do not need to set/change rights but rather read rights

On a Computer object in AD (Active Directory) you 'Allow' a User, Group or Computer object (either the same computer or another computer object) the 'Write' right to the following property/attribute of the computer object

Validated write to service principal name and write service principal name

So lets say on Computer object Server01 the user Domain\Fred is 'Allowed' to "Validated write to service principal name" and also 'Allowed' the "write service principal name"

And Paul, John and Susan all have the same rights as Fred

now lets say I have 500 computers in the AD Domain with a combination of the above rights

I want to get the computer objects (I know how to do this with PowerShell or ADSI, .NET)

then I want to list out who has the above rights to these computer objects (and that is the bit I am stuck on) how to list out the rights (rather the checking each user, group and computer one at a time to see if they have the these rights or not) to see who can set these SPN related values for the computers in my domain.

Thanks very much in advance __AAnotheruser

Community
  • 1
  • 1
user7340057
  • 111
  • 1
  • 2
  • 6

1 Answers1

1

To figure out which access control entries (ACEs) grant the rights you're talking about, first you need to know the ObjectType GUIDs to be on the lookout for. The servicePrincipalName property has a GUID of f3a64788-5306-11d1-a9c5-0000f80367c1. Validated writes share their property's GUID, so we're still just looking for the one. Since the SPN is a member of the 'Public Information' property set, you'll need to note it's GUID, too: e48d0154-bcf8-11d1-8702-00c04fb96050

So, you're looking for ACEs that meet one of the following conditions:

  • AccessMask of WriteProperty and either no ObjectType or an empty GUID object type since that would mean the ACE grants the ability to write all properties and property sets
  • AccessMask of WriteProperty and an ObjectType GUID of f3a64788-5306-11d1-a9c5-0000f80367c1
  • AccessMask of WriteProperty and an ObjectType GUID of e48d0154-bcf8-11d1-8702-00c04fb96050
  • AccessMask of Self (which means validated write) and an ObjectType GUID of f3a64788-5306-11d1-a9c5-0000f80367c1

Also, 'GenericWrite' can be used instead of WriteProperty above. Maybe something like this in PowerShell:

$ServicePrincipalNameProperty = [guid] 'f3a64788-5306-11d1-a9c5-0000f80367c1'
$PublicInformationPropertySet = [guid] 'e48d0154-bcf8-11d1-8702-00c04fb96050'
$ValidatedWrite = [System.DirectoryServices.ActiveDirectoryRights]::Self
$WriteProperty = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
$GenericWrite = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite

Get-ADComputer ComputerName -Properties ntSecurityDescriptor | ForEach-Object {
    $SD = $_.ntSecurityDescriptor

    $SD.Access | where {
        # Look for the access rights that would grant write capabilities
        ($_.ActiveDirectoryRights -band $ValidatedWrite) -eq $ValidatedWrite -or
        ($_.ActiveDirectoryRights -band $WriteProperty) -eq $WriteProperty -or
        ($_.ActiveDirectoryRights -band $GenericWrite) -eq $GenericWrite
    } | where ObjectType -in $null, ([guid]::Empty), $ServicePrincipalNameProperty, $PublicInformationPropertySet
}

I think that would work to show you the ACEs you're interested in. If you only care about the IdentityReference, you could pull that out and throw the rest away. If you change the Get-ADComputer call to use -Filter, this should work for more than one machine (You could use Add-Member to add the samAccountName to each ACE so you could tell them apart).

One more thing: this doesn't take inheritance and propagation flags or InheritedObjectTypes into account, so you might see some ACEs that wouldn't technically grant the rights you're looking for...

Rohn Edwards
  • 2,499
  • 1
  • 14
  • 19