kennystrawnmusic · December 29, 2025 14:15
diff --git a/Find-InterestingRemoteAcl.ps1 b/Find-InterestingRemoteAcl.ps1
 function Find-InterestingRemoteAcl {
    [CmdletBinding(DefaultParameterSetName="PasswordAuth")]
    param(
        [Parameter(ParameterSetName="PasswordAuth", Mandatory=$true)] 
        [System.Management.Automation.PSCredential]$Credential,
        [Parameter(Mandatory=$true)]
        [string]$ComputerName,
        [Parameter(ParameterSetName="PassTheTicket")]
        [switch]$PTT
    )

    if ($PTT) {
        $dom = (Get-ADDomain -Server $ComputerName).NetBIOSName
        New-PSDrive -Name $dom -PSProvider ActiveDirectory -Server $ComputerName -Root "//RootDSE/" -Scope Global

        $LDAPFilter = "(&"
        $LDAPFilter += "(|(objectClass=user)(objectClass=computer))"
        Get-ADGroup -LDAPFilter '(adminCount=1)' -Server $ComputerName | ForEach-Object {
            $LDAPFilter += "(!(memberof=$((Get-ADGroup -Identity $_ -Server $ComputerName).DistinguishedName)))"
        }
        Get-ADDomainController -Filter * -Server $ComputerName | ForEach-Object {
            $LDAPFilter += "(!(distinguishedName=$($_.ComputerObjectDN)))"
        }
        $LDAPFilter += '(!(sAMAccountName=krbtgt))'
        $LDAPFilter += ')'

        Get-ADObject -LDAPFilter $LDAPFilter -Server $ComputerName -Properties MemberOf | ForEach-Object {
            $user = $_
            $groups = Get-ADPrincipalGroupMembership -Identity $user -Server $ComputerName
            (Get-ADRootDSE -Server $ComputerName).NamingContexts | ForEach-Object {
                $nc = $_
                $groups | ForEach-Object {
                    $group = $_.Name
                    Get-ChildItem -Path ("$dom" + ":\$nc") -Recurse -Force | ForEach-Object {
                        Get-Acl -Path ("$dom" + ":\$_") | Select-Object PSChildName -ExpandProperty Access | Where-Object {
                            ($_.IdentityReference -eq "$dom\$user" -or $_.IdentityReference -eq "$dom\$group") -and $_.AccessControlType -eq "Allow" -and ($_.ActiveDirectoryRights -eq "GenericAll" -or $_.ActiveDirectoryRights -like "*Write*" -or $_.ActiveDirectoryRights -like "*Create*" -or $_.ActiveDirectoryRights -like '*Force-Change-Password*' -or $_.ActiveDirectoryRights -eq "Enroll") 
                        }
                    }
                }
            }
        } | Format-List

        Remove-PSDrive -Name $dom
    } else {
        $dom = (Get-ADDomain -Server $ComputerName -Credential $Credential).NetBIOSName
        New-PSDrive -Name $dom -PSProvider ActiveDirectory -Server $ComputerName -Root "//RootDSE/" -Credential $Credential -Scope Global

        $LDAPFilter = "(&"
        $LDAPFilter += "(|(objectClass=user)(objectClass=computer))"
        Get-ADGroup -LDAPFilter '(adminCount=1)' -Server $ComputerName -Credential $Credential | ForEach-Object {
            $LDAPFilter += "(!(memberof=$((Get-ADGroup -Identity $_ -Server $ComputerName -Credential $Credential).DistinguishedName)))"
        }
        Get-ADDomainController -Filter * -Server $ComputerName -Credential $Credential | ForEach-Object {
            $LDAPFilter += "(!(distinguishedName=$($_.ComputerObjectDN)))"
        }
        $LDAPFilter += '(!(sAMAccountName=krbtgt))'
        $LDAPFilter += ')'

        Get-ADObject -LDAPFilter $LDAPFilter -Server $ComputerName -Credential $Credential -Properties MemberOf | ForEach-Object {
            $user = $_
            $groups = Get-ADPrincipalGroupMembership -Identity $user -Server $ComputerName -Credential $Credential
            (Get-ADRootDSE -Server $ComputerName -Credential $Credential).NamingContexts | ForEach-Object {
                $nc = $_
                $groups | ForEach-Object {
                    $group = $_.Name
                    Get-ChildItem -Path ("$dom" + ":\$nc") -Recurse -Force | ForEach-Object {
                        Get-Acl -Path ("$dom" + ":\$_") | Select-Object PSChildName -ExpandProperty Access | Where-Object {
                            ($_.IdentityReference -eq "$dom\$user" -or $_.IdentityReference -eq "$dom\$group") -and $_.AccessControlType -eq "Allow" -and ($_.ActiveDirectoryRights -eq "GenericAll" -or $_.ActiveDirectoryRights -like "*Write*" -or $_.ActiveDirectoryRights -like "*Create*" -or $_.ActiveDirectoryRights -like '*Force-Change-Password*' -or $_.ActiveDirectoryRights -eq "Enroll") 
                        }
                    }
                }
            }
        } | Format-List

        Remove-PSDrive -Name $dom
    }
 }
	function Find-InterestingRemoteAcl {
	[CmdletBinding(DefaultParameterSetName="PasswordAuth")]
	param(
	[Parameter(ParameterSetName="PasswordAuth", Mandatory=$true)]
	[System.Management.Automation.PSCredential]$Credential,
	[Parameter(Mandatory=$true)]
	[string]$ComputerName,
	[Parameter(ParameterSetName="PassTheTicket")]
	[switch]$PTT
	)

	if ($PTT) {
	$dom = (Get-ADDomain -Server $ComputerName).NetBIOSName
	New-PSDrive -Name $dom -PSProvider ActiveDirectory -Server $ComputerName -Root "//RootDSE/" -Scope Global

	$LDAPFilter = "(&"
	$LDAPFilter += "(\|(objectClass=user)(objectClass=computer))"
	Get-ADGroup -LDAPFilter '(adminCount=1)' -Server $ComputerName \| ForEach-Object {
	$LDAPFilter += "(!(memberof=$((Get-ADGroup -Identity $_ -Server $ComputerName).DistinguishedName)))"
	}
	Get-ADDomainController -Filter * -Server $ComputerName \| ForEach-Object {
	$LDAPFilter += "(!(distinguishedName=$($_.ComputerObjectDN)))"
	}
	$LDAPFilter += '(!(sAMAccountName=krbtgt))'
	$LDAPFilter += ')'

	Get-ADObject -LDAPFilter $LDAPFilter -Server $ComputerName -Properties MemberOf \| ForEach-Object {
	$user = $_
	$groups = Get-ADPrincipalGroupMembership -Identity $user -Server $ComputerName
	(Get-ADRootDSE -Server $ComputerName).NamingContexts \| ForEach-Object {
	$nc = $_
	$groups \| ForEach-Object {
	$group = $_.Name
	Get-ChildItem -Path ("$dom" + ":\$nc") -Recurse -Force \| ForEach-Object {
	Get-Acl -Path ("$dom" + ":\$_") \| Select-Object PSChildName -ExpandProperty Access \| Where-Object {
	($_.IdentityReference -eq "$dom\$user" -or $_.IdentityReference -eq "$dom\$group") -and $_.AccessControlType -eq "Allow" -and ($_.ActiveDirectoryRights -eq "GenericAll" -or $_.ActiveDirectoryRights -like "Write" -or $_.ActiveDirectoryRights -like "Create" -or $_.ActiveDirectoryRights -like 'Force-Change-Password' -or $_.ActiveDirectoryRights -eq "Enroll")
	}
	}
	}
	}
	} \| Format-List

	Remove-PSDrive -Name $dom
	} else {
	$dom = (Get-ADDomain -Server $ComputerName -Credential $Credential).NetBIOSName
	New-PSDrive -Name $dom -PSProvider ActiveDirectory -Server $ComputerName -Root "//RootDSE/" -Credential $Credential -Scope Global

	$LDAPFilter = "(&"
	$LDAPFilter += "(\|(objectClass=user)(objectClass=computer))"
	Get-ADGroup -LDAPFilter '(adminCount=1)' -Server $ComputerName -Credential $Credential \| ForEach-Object {
	$LDAPFilter += "(!(memberof=$((Get-ADGroup -Identity $_ -Server $ComputerName -Credential $Credential).DistinguishedName)))"
	}
	Get-ADDomainController -Filter * -Server $ComputerName -Credential $Credential \| ForEach-Object {
	$LDAPFilter += "(!(distinguishedName=$($_.ComputerObjectDN)))"
	}
	$LDAPFilter += '(!(sAMAccountName=krbtgt))'
	$LDAPFilter += ')'

	Get-ADObject -LDAPFilter $LDAPFilter -Server $ComputerName -Credential $Credential -Properties MemberOf \| ForEach-Object {
	$user = $_
	$groups = Get-ADPrincipalGroupMembership -Identity $user -Server $ComputerName -Credential $Credential
	(Get-ADRootDSE -Server $ComputerName -Credential $Credential).NamingContexts \| ForEach-Object {
	$nc = $_
	$groups \| ForEach-Object {
	$group = $_.Name
	Get-ChildItem -Path ("$dom" + ":\$nc") -Recurse -Force \| ForEach-Object {
	Get-Acl -Path ("$dom" + ":\$_") \| Select-Object PSChildName -ExpandProperty Access \| Where-Object {
	($_.IdentityReference -eq "$dom\$user" -or $_.IdentityReference -eq "$dom\$group") -and $_.AccessControlType -eq "Allow" -and ($_.ActiveDirectoryRights -eq "GenericAll" -or $_.ActiveDirectoryRights -like "Write" -or $_.ActiveDirectoryRights -like "Create" -or $_.ActiveDirectoryRights -like 'Force-Change-Password' -or $_.ActiveDirectoryRights -eq "Enroll")
	}
	}
	}
	}
	} \| Format-List

	Remove-PSDrive -Name $dom
	}
	}
No results found