From a4a3ae549251275d9fa282bb32f66a2915491fde Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Sun, 17 Sep 2017 12:03:22 -0700 Subject: Fixed New-ADObjectAccessControlEntry so -PrincipalIdentity now accepts built-in sids. --- Recon/PowerView.ps1 | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 89557ee..a9146fa 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -7679,22 +7679,29 @@ System.Security.AccessControl.AuthorizationRule ) Begin { - $PrincipalSearcherArguments = @{ - 'Identity' = $PrincipalIdentity - 'Properties' = 'distinguishedname,objectsid' + if ($PrincipalIdentity -notmatch '^S-1-.*') { + $PrincipalSearcherArguments = @{ + 'Identity' = $PrincipalIdentity + 'Properties' = 'distinguishedname,objectsid' + } + if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain } + if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential } + $Principal = Get-DomainObject @PrincipalSearcherArguments + if (-not $Principal) { + throw "Unable to resolve principal: $PrincipalIdentity" + } + elseif($Principal.Count -gt 1) { + throw "PrincipalIdentity matches multiple AD objects, but only one is allowed" + } + $ObjectSid = $Principal.objectsid } - if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain } - if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server } - if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope } - if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize } - if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } - if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone } - if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential } - $Principal = Get-DomainObject @PrincipalSearcherArguments - if (-not $Principal) { - throw "Unable to resolve principal: $PrincipalIdentity" - } elseif($Principal.Count -gt 1) { - throw "PrincipalIdentity matches multiple AD objects, but only one is allowed" + else { + $ObjectSid = $PrincipalIdentity } $ADRight = 0 @@ -7703,7 +7710,7 @@ System.Security.AccessControl.AuthorizationRule } $ADRight = [System.DirectoryServices.ActiveDirectoryRights]$ADRight - $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$Principal.objectsid) + $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$ObjectSid) } Process { -- cgit v1.2.3